Apple Launches New Security Research Website

[MacRumors]

Apple today introduced Apple Security Research, a new website that is dedicated to improving the methods available to security researchers for reporting issues to Apple. The site offers up tools for sending Apple security reports, getting real-time status updates, and communicating with Apple engineers.

In addition to housing information on the Apple Security Bounty program, the website is a blog that will allow the Apple engineering teams to share the latest advances in Apple security. The first post delves into XNU memory safety.

Apple today also shared progress that it has made with the Apple Security Bounty program. In the last two and a half years, Apple has awarded close to $20 million in payments to researchers. Average payouts are around $40,000 in the Product category, and Apple has paid 20 separate rewards over $100,000 for high-impact issues.

Apple says that it is now responding to issues more quickly than before, and has made it easier to report issues and communicate with Apple's teams through the launch of the new website. All bug report status changes are reflected in a new tracker available on the website, which also makes it easier for Apple to collect more information on bugs.

Transparency has been improved as well, with the site offering detailed Apple Security Bounty information and evaluation criteria so researchers have a better idea of what will earn a reward.

Today through November 30, 2022, Apple is accepting applications for the 2023 Apple Security Research Device Program, which provides qualified individuals with an iPhone that is designed specifically to make finding bugs easier.

Article Link: Apple Launches New Security Research Website

 

[Unregistered 4U]

Of course, the best way for a security researcher looking for “clout” to report issues to Apple will ALWAYS be Twitter.

 

[Spaceboi Scaphandre]

Bet you $5 this is to get ready for sideloading. Since the Digital Markets Act goes live next month they're gonna get forced to enable it and alternative app stores by March 2024 just like how they're now having to move the iPhone to USB-C.

They're gonna have to open up eventually so this new bounty program and the SRD is gonna be used to close as many vulnerabilities as possible before that time comes.

 

[ProfessionalFan]

I would like to think nobody can find a negative about this program. Seems good and useful.

 

[madmin]

*starts coding Apple Bug Research site*

 

[frou]

Looks like it's committing the sin of many homegrown blog systems: Not having an RSS feed!

 

[ghanwani]

The best security is when you are disconnected. AI/ML decides when there’s a security threat and drops the WiFi connection. Folks think the connectivity loss is a bug, but it's actually a feature.

 

[antiprotest]

I like security.

 

[Naraxus]

Considering how miserly Apple pays out for bug bounties (if they even bother to do so) the last thing I would do is report a bug to them.

 

[Realityck]

Apple today introduced Apple Security Research, a new website that is dedicated to improving the methods available to security researchers for reporting issues to Apple. The site offers up tools for sending Apple security reports, getting real-time status updates, and communicating with Apple engineers.

Alternatives to the present reporting methods is welcome. Note hiring for addition Security staff on web pad.

 

[BGPL]

Wonder if this means their VPN is gonna get fixed.

 

[vegetassj4]

Macs don't get vir%@%#&&dggb[NO CARRIER]

Your files are encrypted

Many of your important documents, photos, videos, images and other files are no longer accessible
because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time.

Nobody can recover your files without our decryption service.

We guarantee however that you can recover your files safelv and easilv and this will cost vou 50 USD without
any additional fees. Our offer is valid FOR 3 DAYS (starting now!). Full details can be found AT: CantFSCKtheZuck.meta
located on your Desktop

 

[zarmanto]

Bet you $5 this is to get ready for sideloading ...

No bet; I came to say exactly the same thing. Apple may be forced into permitting sideloading, but they won't be going down that path without a great deal of kicking and screaming; this website is likely where they plan to conduct their research into exactly how significantly sideloading is affecting security. And if the news about Android sideloaded malware is any indication, there will be no shortage of opportunities to add to that research.

 

[Spaceboi Scaphandre]

I would like to think nobody can find a negative about this program. Seems good and useful.

Well except one: The only people getting SRDs are security researchers with proven track records. C'mon I would've killed to have one of these to play around with iOS's innards. Last time I did that was with iOS 4 on an old iPod Touch 3rd Gen I jailbroke.

God I want sideloading bad.

EDIT: Why you disliking me? I like messing with software workings.

 

[erikkfi]

Imagine finding a bug serious enough that you get a $100,000+ payment.

 

[Spaceboi Scaphandre]

Imagine finding a bug serious enough that you get a $100,000+ payment.

It happens more often than you think. Did you forget about Log4J or PrintNightmare or the AirTag exploit?

 

[centauratlas]

There are a ton of bugs.

For example, they had a bug in 16 that if you were sent a PDF link like this: https://www.covid.gov/assets/files/Income-and-Financial-Assistance.pdf

and then click it from iMessage it would crash. Nothing special, just a US Gov PDF. It appears to be fixed in 16.1 but when you can crash it with a link that is serious. Certainly having access to something like this helps to find the issue, but not everyone (so far) can get access.

 

[mthomas184]

I would like to think nobody can find a negative about this program. Seems good and useful.

Somebody will. Just monitor the comments here and you're bound to find someone.

 

[Analog Kid]

Kudos. Hopefully this reduces the number of embarrassing bugs…

 

[Analog Kid]

Imagine finding a bug serious enough that you get a $100,000+ payment.

Better use of time and resources than bitcoin mining…

 

[Atomic1977]

Hmm I don’t get why it says iPhone. Why couldn’t they do this with iPads too.

 

[jimbobb24]

Sec

No bet; I came to say exactly the same thing. Apple may be forced into permitting sideloading, but they won't be going down that path without a great deal of kicking and screaming; this website is likely where they plan to conduct their research into exactly how significantly sideloading is affecting security. And if the news about Android sideloaded malware is any indication, there will be no shortage of opportunities to add to that research.

Let’s hope not. It’s been an amazing run and would hate for zealots and the govt to ruin it all.

 

[jimbobb24]

Bounties are a wonderful solution to this problem. Wish they were more common in businesses and more for govt research instead of just throwing money at problems.

 

[SamRyouji]

Apart from those saturated product lines and buggy software, at least they got one thing right: THIS. Tech security nowadays is no small issues considering how lucrative the propositions one could got after breaking into numerous devices.

 

[MNGR]

Macs don't get vir%@%#&&dggb[NO CARRIER]

And HP 41c