The developer is making unproven accusations. That, alone, is enough for me to say he can go suck an egg. To claim Apple "covered up" one of the bugs, without proof, is very unprofessional and not worthy of credit.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Apple Apologizes to Researcher for Ignoring iOS Vulnerabilities, Says It's 'Still Investigating'
- Thread starter MacRumors
- Start date
- Sort by reaction score
"Researchers said that Apple is slow to fix bugs and doesn't always pay out what's owed"
If true, this is an embarrassment. Apple has enough cash to pay out 10x what is owed to these bounty hunters and it will still be a tremendously positive investment in terms of Apple's brand equity (think of it as a marketing expense).
If true, this is an embarrassment. Apple has enough cash to pay out 10x what is owed to these bounty hunters and it will still be a tremendously positive investment in terms of Apple's brand equity (think of it as a marketing expense).
Not sure, I suspect any developer who has not returned it will probably have their dev account flagged internally.
Given the import of the issue itself and the attention it has received, this is an issuer deserving of a CEO-level response with an apology and an action plan to fix the issue.
it’s nonsense that some lower level employee responded with vague reassurances of an ongoing investigation.
the initial reports surfaced about 4 business weeks ago. That’s plenty of time to grasp the internal issues and release a robust action plan.
This response is not OK. At this point I’d be ok with congress pulling apple’s CEO, CTO and CSO in for a hearing.
I posted the following on the 9th and Apple has proved it to be truer than ever:
“
At this point I can accept no excuse or justification from apple for why it isn’t paying best in class bounties.
Slow to scale excuses arguments? Ridiculous.
Smaller than industry rewards? It’s literally a marketplace of exploits. Not every hacker is a white hat. Some are beyond US Justice, others it takes years to catch. When Apple isn’t the first stop for exploits, in such cases the damage is done by the time such holes are closed and the crooks caught.
For God’s sake, people have literally died and been hacked into pieces because of unpatched Apple bugs.
And in the meantime Apple wants us to put our medical histories, identification, house and office keys in our devices…
Yes we can blame NSO and FSB etc, but they are finding what is already there. There is no reason Apple couldn’t find most of it first if it doubled down on this.
Apple is the richest company in the history of humanity. It has the financial resources to rival some nation states. There is no traditional business barrier to Apple doing what it needs to here.
Not able to run a robust bug discovery program that draws the best and most submissions (and conversely staffing internally to handle these)? Apple is fully able.
There is no reason that the above can’t be solved. And at this point is only because of perceptual and cultural lag, possible arrogance, clear lack of CEO priority, and definite CFO cheapskatedness.
I might add it’s pretty glaring that attention and resources are lacking here even as Apple instead builds proof of concept golden keys inviting state coercion to expand their CSAM intrusion into other areas…
“
it’s nonsense that some lower level employee responded with vague reassurances of an ongoing investigation.
the initial reports surfaced about 4 business weeks ago. That’s plenty of time to grasp the internal issues and release a robust action plan.
This response is not OK. At this point I’d be ok with congress pulling apple’s CEO, CTO and CSO in for a hearing.
I posted the following on the 9th and Apple has proved it to be truer than ever:
“
At this point I can accept no excuse or justification from apple for why it isn’t paying best in class bounties.
Slow to scale excuses arguments? Ridiculous.
Smaller than industry rewards? It’s literally a marketplace of exploits. Not every hacker is a white hat. Some are beyond US Justice, others it takes years to catch. When Apple isn’t the first stop for exploits, in such cases the damage is done by the time such holes are closed and the crooks caught.
For God’s sake, people have literally died and been hacked into pieces because of unpatched Apple bugs.
And in the meantime Apple wants us to put our medical histories, identification, house and office keys in our devices…
Yes we can blame NSO and FSB etc, but they are finding what is already there. There is no reason Apple couldn’t find most of it first if it doubled down on this.
Apple is the richest company in the history of humanity. It has the financial resources to rival some nation states. There is no traditional business barrier to Apple doing what it needs to here.
Not able to run a robust bug discovery program that draws the best and most submissions (and conversely staffing internally to handle these)? Apple is fully able.
There is no reason that the above can’t be solved. And at this point is only because of perceptual and cultural lag, possible arrogance, clear lack of CEO priority, and definite CFO cheapskatedness.
I might add it’s pretty glaring that attention and resources are lacking here even as Apple instead builds proof of concept golden keys inviting state coercion to expand their CSAM intrusion into other areas…
“
If by loan you mean put down a non-reimbursed deposit or later low ball reimbursement to terminate the program in under a year then sure your definition of “free” differs from the English dictionary. 😝
Apple is busy creating new emojis, no time to fix bugs.
Just wanted to quote this in bold, since it's the sort of thing people keen on criticizing tend to tune out:
I'm not saying Apple did everything right here, but I think this does put things in perspective.
I'm not saying Apple did everything right here, but I think this does put things in perspective.
Apple has not been a leading tech company for a long time. They are just about marketing a so-so product to kids that don't know any better to make the big bucks.
One of the things that often takes over in highly secretive, opaque companies is that they only end up listening to their own echoes. Everybody else is ignored.
It's funny that Apple wants everybody to go back to work in their office in order to improve innovation that comes from random interaction. From what I can tell from former employees, nobody is really supposed to talk to anybody about much of anything. So, how's that fit into random conversations bringing about innovation? There are probably some good reasons (or bad) for why Apple wants people sitting in their buildings, but that ain't one. Anyway, the culture there is one of secrecy and paranoia - at least at the management level - so it's no wonder that outside information doesn't get much attention.
It's too bad. Highly segmented organizations tend to be very inefficient and cost a lot of money.
It's funny that Apple wants everybody to go back to work in their office in order to improve innovation that comes from random interaction. From what I can tell from former employees, nobody is really supposed to talk to anybody about much of anything. So, how's that fit into random conversations bringing about innovation? There are probably some good reasons (or bad) for why Apple wants people sitting in their buildings, but that ain't one. Anyway, the culture there is one of secrecy and paranoia - at least at the management level - so it's no wonder that outside information doesn't get much attention.
It's too bad. Highly segmented organizations tend to be very inefficient and cost a lot of money.
I don’t know, I mean this IS a non-critical bug. Maybe… jsut maybe Apple DID cover it up because they were like “NAAAAAH, iOS ONLY HAS CRITICAL BUGS! We can’t let the world find out that Apple ALSO has NON-CRITICAL bugs. We’d be laughed out of the CRITICAL BUGS ONLY Sunday luncheons!!”
“Can’t we just pretend that it’s actually critical? Like, put out a note saying that it totally DOESN’T require an app to be approved onto the App Store? I mean, technically, if a developer installs it onto their own phone…”
“No, the ONLY thing we can do is bury this bug, let NO one know of it. Put our best folks on it. And remember, this Sunday is SALMON Sunday… your Sunday seafood DEPENDS on you successfully burying this bug!”
The import of the issue that the developer states is “not highly critical”? Shouldn’t a CEO-level response be expected for something more like a highly critical bug? OR… I don’t know, at least… just plain… critical?
If not, I’ve submitted a BUNCH of “not highly critical” bugs as well. I’ll be expecting my CEO-level response any day now!
I guess it’s only a matter of time when they realize that anybody on the forums, feedbacks, community discussions, etc can potentially go full nuke on social media, in which case I hope they start getting onto things before it comes to that…
This I find crazy…
at my job sometimes I get “educated” by some young one showing something online that happens to be something quite impressive done in a fraction of the time that our “armies of professionals” might not even manage to do.
I don’t know about Apple’s engineers but for myself those instances are wake up calls and might translate to some intense overtime, personal R&D, validating, learning, etc to at least patch that knowledge on my side. I find it unacceptable and worthy of a serious employment warning… it’s even their own software, they are supposed to be at an advantage in knowing it.
What you indirectly suggest here is dangerous and a common mistake.
When a person, company or nation benchmarks against a lesser performing competitor and takes comfort and complacency in that as opposed to holding itself to a standard of excellence and continuous improvement (based on what is reasonably doable), decline and adverse events and publicity are possible.
As recent history has shown here.
Last edited:
A Vigilant CEO and upper management looks at and reacts to things like this not from a single bug perspective (unless that bug is a critical one) but from a systemic and organizational perspective.
There is clearly something not working right in Apple’s bug fix programs if the recent reports reflect some degree of reality.
some commenters here (not necessarily you) seem to try to rationalize Apple’s poor performance here wit irrelevant issues or comparisons to lesser performing competitors.
The key issue here is Apple has made privacy and security it’s main public tent poles for years and now it’s doing a poor job on both of these.
It imperils their future growth performance to some degree, and invites regulatory scrutiny and regulation, because it puts consumer confidence (walk/talk mismatch) and private critical information at some elevated degree of risk.
Thank you. Aurotocorewct gwts me a gain.
And completely goes awol for the above sentence.
😂
Apple needs to greatly improve on their interaction with all developers and bug bounty participants.
I do. Exploits can put a lot of people in danger.
Isn‘t it a bit extreme to hold a congress hearing over how a company handles a bug bounty program?
Apple or the Unicode consortium?
Hot take! If that’s how you feel, I don’t understand why you are spending time on an Apple rumor web site
You are making not just unproven, but demonstrably wrong accusations:
The developer has proven his point by publishing these exploits, and he would be in really deep **** if he hasn't hadcontacted Apple upfront.
Quote: "Apple CEO Tim Cook said earlier this year that the upcoming rules could "destroy the security" of the iPhone"
Timmy, boy, it's already destroyed, theres no reason not to allow 3rd party app stores, if i want to destroy my iphone security I should be able to, it won't get any worse then it is now.
and maybe, just maybe, apple would invest much more in security if sideloading was allowed?
Timmy, boy, it's already destroyed, theres no reason not to allow 3rd party app stores, if i want to destroy my iphone security I should be able to, it won't get any worse then it is now.
and maybe, just maybe, apple would invest much more in security if sideloading was allowed?
At this point, it's been so long since a full one like that has been on the open market that it's probably significantly more. IMO the real money is probably in iBoot/secure enclave exploits now.
I agree with the thrust of your post but if the researcher is based in the US (I've seen speculation that they are not) this is protected speech under the 1st amendment and no prior disclosure is required. This is exactly why this behavior from Apple is so dangerous—developers are trying to do the right thing and Apple is making the public disclosure angle more attractive instead. These bugs are important for resume building.
Given their emphasis on privacy and security, and their considerable wealth as a company, Apple should have the best relationships with and bounties for security researchers, full stop.
I think that underestimates the point to be honest. There are plenty of ways to hide code through app store review and then trigger it later, and we've seen lots of examples over the last twelve months (gambling apps that only work in some territories so they sail through app review, illegal piracy services after a trivial combination advertised elsewhere is entered, and ultimately there was that Epic lawsuit after Fortnite changed things post app approval.
Would you get caught? Sure. You might get a million victims before that, and more importantly if you're a nation state with false credentials to burn you have quite possibly got your target.