Apple Introduces $2M Bug Bounty for Spyware-Level Exploits

[racerhomie]

Companies should focus heavily on this.. especially with all the hacking by state actors like Mossad going on.

Mossad and CIA and other State agency exploits aren’t easily getting exposed with this. This is for the mercenary level spyware sold by companies in Israel and other nations like the USA. The funding and importance of the agency level exploits are more than is being offered by Apple

 

[max2]

Absolutely right. This is something that many people just don't appreciate. There is money to be made in finding vulnerabilities and those doing so may wish to sell to the highest bidder, rather than doing the right thing. All companies that create software or hardware that will eventually become the target of hackers should be offering a bug-bounty program. Because if they don't pay for the information, someone else will.

Already happens a lot.

 

[macbookj0e]

How much safer in relative terms does the new memory security in the 17 series help preventing malware etc?

I have no idea how big or small a deal that is…

 

[racerhomie]

How much safer in relative terms does the new memory security in the 17 series help preventing malware etc?

I have no idea how big or small a deal that is…

It’s a pretty big deal according to John Gruber

Apple Announces ‘Memory Integrity Enforcement’

Link to: https://security.apple.com/blog/memory-integrity-enforcement/

daringfireball.net

 

[macduke]

Years ago I submitted a lock screen bypass with video proof and never got paid anything. Ended up getting fixed soon after. Never reporting to them again.

 

[ikramerica]

What information are we talking about being worried about?

Despite all of our concerns about it, one way or another it seems like those that want to know have figured out who we are, where we are, where we go, what we do, what we buy, our SS #, all our vitals and family tree, our credit risk, net worth, assets on hand, if you're sick, if you're pregnant .. on and on and on..

What info are we protecting exactly?
Just credit card numbers from fraud I guess?

Don't misunderstand me -- I want to protect it all!
It just seems like we are largely running plays after the game already ended.

Debit card numbers and fraud. I couldn’t care less if someone tries to defraud my credit card company. They will take care of it because it’s their problem and they have been collecting 2-4% on all my purchases for decades.

That’s why I refuse the Debit feature.

 

[turbineseaplane]

Debit card numbers and fraud. I couldn’t care less if someone tries to defraud my credit card company. They will take care of it because it’s their problem and they have been collecting 2-4% on all my purchases for decades.

That’s why I refuse the Debit feature.

Smart - agree with you on that particular one for sure.

I've started using a Future debit card as a go between (load value as I need it).
I really only got it for the 10% cashback on EV charging

 

[Jumpthesnark]

I think the overall culture shift at Apple is now for others to fix things. A bug bounty program is great as a supplement, but not releasing high quality software from the get go for what Apple charges seems to be mitigating that extra price you pay for a smooth operation.

Any evidence that Apple has made a "shift" "for others to fix things" and that this isn't, as you say "a supplement?"

 

[Jumpthesnark]

$2million? Thats like you or I giving a beggar on the street one penny.

On the other hand, it's actually like someone actually receiving $2M.

 

[fahlman]

Companies should focus heavily on this.. especially with all the hacking by state actors like Mossad going on.

...and Iran, North Korea, China, Russia, etc., etc., etc.

 

[duervo]

You know what really grinds my gears about Apple and this new bug bounty program update? The ghost of Steve Irwin.

 

[con2apple]

I use macOS. Do I trust that my information is 100% secure? No. If I was using Linux (which I won’t be) would I trust it 100%? No.

In my opinion, 100% trust is not possible. I don't even do that with myself.

Ultimately, it boils down to the question of whether, given the shortcomings and lack of information, is there enough trust to use the product?

I use MacOS, for example. Because the company has invested a lot of effort in hardware security and control mechanisms in the operating system.
This compensates for the lack of motivation in software quality.

On the other hand, I don't use iCloud Drive. I already rely on E2E encryption. But since Apple treats the product like a folder, without any options for recovery, etc., I prefer not to entrust Apple with any important documents.

The company has done better with Apple Photos, which is why I haven't been able to find an alternative so far.

It's a constant balancing act. There's no such thing as "this company is trustworthy"; it depends on the product.

 

[svish]

Good to see Apple paying attention to security. Expecting even stronger security features in future versions of the software.

 

[JonaM]

Great program, worst execution. There have been so many exploits that have been disclosed and those who find it do not get even remotely what Apple promises them. This is the reason many exploits remain hidden and get sold to higher bidders

In theory the changes should address that - if you can extract the flag showing that you gained that access then that's the proof for payment. It does remove the arguments about what type of exploit it is - you get the flag, you get the money (assuming that no-one else got it first)