Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Hackers Discover 55 Apple Vulnerabilities, Awarded Nearly $300,000 in Bounties [Updated]

I7guy said:
Right or wrong, it depends on your impression before reading this article. IOS is clearly more secure now and has been in the past. Those who are informed know there isn't any system without bugs or vulnerabilities and that it's a cat and mouse game.
Click to expand...

"more secure", in terms of? Not being infected by viruses? Probably, due to the sandboxing mechanism. But we should accept the fact that Apple is becoming more insecure.

Also the fact that Apple paid these guys that amount of money lol. As if they were a tiny company
 
  • Like
Reactions: PC_tech and EvilEvil
This seems like a low payout to me for the amount of effort that went in. Five people spent three months on this and were apparently quite prolific - they found 55 different vulnerabilities that Apple evidently knew nothing about. I feel like somebody able to find these kinds of bugs is probably worth at least $100K/year, and maybe 2-5 times that amount. So they had 5 of these people for 3 months = 15 months or 1.25 years. Apple should be paying a minimum of $125K for it all, and maybe as much as $600K.

On the other hand, though, how much value does Apple get out of having these vulnerabilities solved? Were they ever going to be discovered by malicious actors otherwise? How much damage would those actors have been able to do?
 
Last edited by a moderator:
  • Like
  • Love
Reactions: Shirasaki, sideshowuniqueuser, uther and 6 others
shadyman said:
"more secure", in terms of? Not being infected by viruses? Probably, due to the sandboxing mechanism. But we should accept the fact that Apple is becoming more insecure.

Also the fact that Apple paid these guys that amount of money lol. As if they were a tiny company
Click to expand...
Disagree that IOS is becoming more insecure. If anything with these programs in place, IOS is becoming more secure over time. And do you have some metrics that show that Apple is paying anything other than market rates given the types of security vulnerabilities that were found?
 
  • Like
Reactions: citysnaps
I would be much more happy if the amount paid were maybe five times as much.

I wonder how much the bad guys pay for this kind of information. I would guess a lot more than $51,500!

Good thing these guys were good guys. But there are a lot of bad guys out there who will want a much bigger reward, or they will go elsewhere.

And maybe Apple covertly, reluctantly is OK with that. A good way to have your cake and eat it too regarding China, for example.

Publicly, Apple is relentless and uncompromising in protecting user security and privacy from and within China, even though China demands the right to surveil devices . Go, Apple!

Privately, “well, you know, there may be these exploits out there that the Ministry of state security can use to penetrate our devices at will, but publicly that’s just speculation. After all, we offer thousands of dollars for critical exploits. Thousands! I’m sure no intelligence service would offer more than that to find out what dissidents and counterrevolutionaries are doing around the world. Thousands!!

And honestly, maybe if there were no easy professional-level exploits, Apple isn’t even allowed to sell in China. Ugh.
 
  • Like
Reactions: Shirasaki, vmistery, PC_tech and 1 other person
I7guy said:
Disagree that IOS is becoming more insecure. If anything with these programs in place, IOS is becoming more secure over time. And do you have some metrics that show that Apple is paying anything other than market rates given the types of security vulnerabilities that were found?
Click to expand...
Please show your metrics for market rates. And it is highly unlikely that market rates even exist as each case differs.
 
  • Like
Reactions: Shirasaki and PC_tech
I7guy said:
There are people who want to help and then there are those who want to be bad. Then there are those who are swayed by price. Apple does have a bounty program for the latter.
Click to expand...

One would think that protecting safety of 1+ billion users would be worth a bit more than $50K. At that rate almost anybody can outbid them and whether you want to be the good or the bad at some point $$ difference takes over the horizon. If not for this group then the next which now can put a solid baseline for their future effort.
 
  • Like
Reactions: Shirasaki, 123, PC_tech and 1 other person
I just came here to express my surprise that the total bounty dollars for that many vulnerabilities seems kind of low. You'd reckon the people who found them could have made a lot more money by posting them on the dark web (or maybe they went that path first and then also collected their bounty). Apple would absolutely pay a lot more for security consultants to find those bugs than the paltry bounty they're paying the hackers (and who cares even if they're teenagers in some foreign country)...
 
  • Like
Reactions: Shirasaki, uther, MiniApple and 3 others
$51500 for all 55 vulnerabilities? Considering how many Apple users there are, how severe some exploits were and how much Apple's net worth is, I thought it is 50 grand for each exploit.

No wonder researchers are better off selling it to others than disclosing it to Apple. Researchers and hackers only making money by selling them to the highest bidder is far more problematic than if Apple just were to pay enough so they can fix it before it leaks...
 
  • Like
Reactions: max.ine, 123, PC_tech and 1 other person
"launch a worm capable of automatically taking over a victim's iCloud account"

You'd think that such a bug would warrant the one million dollar bounty. If not that, then what warrants it? I mean the hackers could literally take over Apple employee accounts, see secret hidden product information and automatically take over entire iCloud accounts. Those are insane security holes.
 
  • Like
Reactions: max.ine, vmistery, Velociround and 2 others
Grohowiak said:
One would think that protecting safety of 1+ billion users would be worth a bit more than $50K.
Click to expand...
It depends on a number of factors. How easy is it to invoke the vulnerability. What would be the damage if invoked? Does a reboot remove the vulnerability? Is it a zero day vulnerability. Are there mitigating factors to how this vulnerability can be made to happen, etc? It's not about there is a vulnerability and 1 billion users are at risk.
At that rate almost anybody can outbid them and whether you want to be the good or the bad at some point $$ difference takes over the horizon. If not for this group then the next which now can put a solid baseline for their future effort.
Click to expand...
 
  • Like
Reactions: Colstan
Why don't you guys read the article? They have gotten money for FOUR exploits SO FAR. They WILL GET MORE MONEY.

Macusercom said:
$51500 for all 55 vulnerabilities? Considering how many Apple users there are, how severe some exploits were and how much Apple's net worth is, I thought it is 50 grand for each exploit.

No wonder researchers are better off selling it to others than disclosing it to Apple. Researchers and hackers only making money by selling them to the highest bidder is far more problematic than if Apple just were to pay enough so they can fix it before it leaks...
Click to expand...
adamdport said:
$50k split between 5 people over 3 months...that's the equivalent of $40k/yr for these guys. I guess it didn't say they were working 40 hours a week, or were full time on apple though.
Click to expand...
Northern Man said:
That seems to be quite a low payment for finding 55 problems. Each guy made about $850/week.
Click to expand...
ArtOfWarfare said:
This seems like a low payout to me for the amount of effort that went in. Five people spent three months on this and were apparently quite prolific - they found 55 different vulnerabilities that Apple evidently knew nothing about. I feel like somebody able to find these kinds of bugs is probably worth at least $100K/year, and maybe 2-5 times that amount. So they had 5 of these people for 3 months = 15 months or 1.25 years. Apple should be paying a minimum of $125K for it all, and maybe as much as $600K.

On the other hand, though, how much value does Apple get out of having these vulnerabilities solved? Were they ever going to be discovered by malicious actors otherwise? How much damage would those actors have been able to do?
Click to expand...
DEXTERITY said:
Apple should pay more
Click to expand...
apparatchik said:
50k divided by 5 professional hackers x 3 months equals 3.3K a month... not really much for this level of security testing and research if you ask me
Click to expand...
ghostface147 said:
I thought they would have gotten paid more for 55 vulnerabilities.
Click to expand...
Grohowiak said:
Next time they will sell it to somebody else.
Click to expand...
Macusercom said:
$51500 for all 55 vulnerabilities? Considering how many Apple users there are, how severe some exploits were and how much Apple's net worth is, I thought it is 50 grand for each exploit.

No wonder researchers are better off selling it to others than disclosing it to Apple. Researchers and hackers only making money by selling them to the highest bidder is far more problematic than if Apple just were to pay enough so they can fix it before it leaks...
Click to expand...
 
  • Like
Reactions: Gasu E., Colstan, Velociround and 1 other person
To those thinking OSX is better than any other OS in terms of security, you are mistaken.
Back then it was worse with unreported or secret, or maybe a benefit for say jb users.

Apple is doing this bounty thing because money is the key influence to motivate people to find these things and patch. This is something companies have to do to be well more secure rather than relying on private users since they can't identify a bug in their shorts.
 
  • Like
Reactions: PC_tech
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back