Apple patches QuickTime 7.6.2 for ZDI flaws
From the 'pay for bugs' files:
Among the critical issues patched by Apple is one discovered by noted security researcher Charlie Miller (who sold the vulnerability to ZDI). Miller has successfully hacked Macs and iPhones at PWN2OWN and Black Hat events in the past.
Many of the issue patched by Apple in the 7.6.2 update are related to heap buffer overflow conditions, which when violated enable an attacker to execute code. The fix for Apple in most cases is to implement more bounds checking to ensure that overflows don't occur and that when they do code can't be arbitrarily executed.
With so many of the flaw in this update being reported by way of a single reporting group, I think it clearly shows the value of the ZDI model. If you pay for security research, then results will follow. Had ZDI not paid for these flaw, I think there could have been more potential for these issues to have been legitimate zero day issues in the wild that put millions of users at risk. ZDI keeps the vulnerabilities private and doesn't release them, providing Apple and its users with what I consider to be an invaluable service.