Apple, rather unusually in today’s cybersecurity world, rarely announces that security fixes are on the way.

There’s no equivalent of Microsoft’s Patch Tuesday, which is a regular and predictable fixture in anyone’s cybersecurity calendar; there’s no “new version every fourth Tuesday” as there is with Firefox; there’s no predetermined quarterly schedule for patches as you get with Oracle’s products.

Apple’s approach is to keep everything under wraps until a working update is ready, and then to announce the patch at the same time that it is published:

Apple doesn’t disclose, discuss or confirm security issues until an investigation has occurred and patches or releases are generally available.

Interestingly, Apple says that the official reason for doing it this way, rather than having a more regular process that you can plan around, is: “For the protection of our customers“.

Play your cards close to your chest

We understand the theory.

The idea behind security patches that “just show up” is that as soon as updates are announced or published, crooks and legitimate researchers alike start trying to work backwards from the fix in order to figure out the details of the vulnerability and how it might be exploited.

Generally speaking, finding vulnerabilities in a complex software bundle is much easier if you know exactly (or even roughly) where to start looking, in the same way that it’s a lot easier to solve a crossword puzzle clue if you know the first letter of the answer.

(Bear in mind that, although all security vulnerabilities are exploitable in theory, many or most bugs that get patched are close to impossible to exploit effectively in real life – you might be able to figure out how to crash a program, for example, but not actually to take it over and implant malware or steal data.)

So why give anyone, especially the crooks, advance warning of what’s coming?

Why not play your cards close to your chest so you don’t inadvertently give the crooks a head start?