Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Hackers Discover 55 Apple Vulnerabilities, Awarded Nearly $300,000 in Bounties [Updated]

The bounties do seem low, but we also don't know the attack vectors. While the vulnerabilities seem very serious, it may require a particular setup or access that would be very improbable. Or, maybe they are just low...
 
Kabeyun said:
Exactly. Well put. That’s why, knowing there’s no such thing as an unhackable mainstream OS, Apple now has a bug bounty program, paid them quickly, and promptly remediated the bugs they found. I would’ve had the same comment.
Click to expand...
Took Apple a long time to establish a bug bounty program and they probably only did so as the bad press reports were mounting.
 
centauratlas said:
I, too, am glad they reported some, but we don't know that they reported them all though. They might have found 56 and sold the last one to someone willing to pay much more since it was more significant.

Or they might have found 55 out of 60 in the area they were looking, and someone else (e.g. NSA, FBI, CIA, Russia, China, UK, Germany, Australia, NK, Cuba etc) could have found another 5.

It is great they are seemingly white hat hackers and reporting them responsibly, but no one can say that with any certainty.

For black hat hackers, this would be a perfect cover. Find a bunch of bugs, report them, to get access to the special phones. Use that special access to keep reporting 99% of the ones found, while keeping the last 1% of significant bugs for sale to the highest bidder (anonymously of course).
Click to expand...
Well... they didn't exactly make very much money from Apple. There are many companies in existence whose entire business model is selling 0-day exploits to the highest bidder. In some jurisdictions that's called racketeering or organized crime as opposed to a business plan, but <shrug> relocate to a jurisdiction that's fine with it and doesn't care.

FWIW the #1 buyer of 0-days is of course the US government.

I'm pretty sure this is just the tip of the Swiss-cheese iceberg. Checkra1n is doing fun things to the T2 that Apple doesn't highlight much, 'cuz it can't fix them.

Just sayin' It's not like Apple is unique, that's every OS and the internet. If you want security, then don't toss it in someone else's cloud and don't connect it to tEh internet.

5 minutes after building a better mousetrap, inevitably, a better mouse emerges <-- infinite loop.
 
  • Like
Reactions: MiniApple and I7guy
Apple needs to raise their bounties. These guys pulled in $3k a month doing this? That's not a sufficient motivator, and relies too strongly on their ethics to sell what they know to what is surely the lower bidder.

The way I see it, this kind of security testing requires highly skilled people who can easily make better money doing other things. If that's not true, and these guys found these holes anyway, then there are way too many holes. Either way, Apple should be paying more to sort these out.

The goal should be to have a high enough bounty that your system is secure enough you don't have to pay the bounty.
 
  • Like
Reactions: Schismz and jimbobb24
Finding these vulnerabilities are so valuable if I were Apple I would pay double or triple this. I would want everyone looking for them to make the code better.
 
  • Like
Reactions: Schismz
Neither response is accurate.
Dekema2 said:
Pretty stingy for a trillion dollar company.
Click to expand...
They aren't stingy. The situation was fluid and still updating. Apple has thus far paid over $288K and reportedly could end up paying more than $500K. Hardly stingy.
Kabeyun said:
Bug bounties are not typically proportional to corporate net worth. They have going rates, with zero-day exploits being the most valuable.
Click to expand...
The $50K would have hardly been the going rate for 11 critical vulnerabilities. Had it been $50K total, that would have been stingy for 55 disclosures. Since that wasn't the case, it's moot. When it's all said and done, Apple will have paid an amount that shows appreciation for the work done and incentivizes others to disclose to them instead of vulnerability brokers and 3-letter agencies.
Details at Ars: https://arstechnica.com/information...-of-internal-apple-network-get-288000-reward/
 
  • Like
Reactions: Gasu E., iAssimilated and CarlJ
Apple is vastly under compensating these researchers. They should be getting bonuses 10x as large as they do.

By being cheap, Apple risks some researchers selling their discoveries to malicious 3rd parties.
 
  • Like
Reactions: Schismz
Five guys, three months, fifty thousand dollars. I hope these guys didn't quit their day jobs.
 
Robert.Walter said:
Apple is vastly under compensating these researchers. They should be getting bonuses 10x as large as they do.

By being cheap, Apple risks some researchers selling their discoveries to malicious 3rd parties.
Click to expand...
RustyIron said:
Five guys, three months, fifty thousand dollars. I hope these guys didn't quit their day jobs.
Click to expand...
If you read the post above yours and clicked on the link, you wouldn’t be so quick to criticize Apple. But carry on.
 
  • Like
Reactions: Gasu E. and CarlJ
What are all the people that only trust Apple with their CC information going to do now that they know Apple isn’t perfectly secure? 🤣
 
$51,500 / 5 men / 3 months = $3,500 per month before taxes and expenses. If this was full time by seasoned professionals that perform above Apple IT skill levels then the bounty hunt can hardly be called "considerable payments"...
 
JagRunner said:
What are all the people that only trust Apple with their CC information going to do now that they know Apple isn’t perfectly secure? 🤣
Click to expand...
Imagine how bad it would be if one had to give their cc all over the net and vulnerabilities were never patched at these multiple third parties. 😂
 
ss2cire said:
wow. just glad they (hackers) reported it to apple so they (apple) could fix the vulnerabilities.
Click to expand...

Damn, if you didn’t clarify I would have thought you were saying they (apple) reported it to apple so they (hackers) could fix the vulnerabilities.:p
 
  • Haha
Reactions: ss2cire
RustyIron said:
Five guys, three months, fifty thousand dollars. I hope these guys didn't quit their day jobs.
Click to expand...

Competent whitehat hackers like them are paid a considerable amount by different companies. It was obviously worth it to them for their time to get the award. I very much doubt they were doing this for most of the 3 months.
 
JagRunner said:
imagine being scared to use your card outside the Apple App Store.
Click to expand...
Yeah, imagine wanting to spend more time reconciling the charges than needed. But if it’s your desire to spread the wealth, charge around, give hour cc to multiple unknown third parties...I’m sure android can accommodate you.
 
I7guy said:
Yeah, imagine wanting to spend more time reconciling the charges than needed. But if it’s your desire to spread the wealth, charge around, give hour cc to multiple unknown third parties...I’m sure android can accommodate you.
Click to expand...

ive been using CCs all over the place for decades. I’ve probably had ONE fraudulent charge In that entire Time. CC company took care of it swiftly.

It’s ok to come out into the real world. You’ll be ok lol
 
  • Like
Reactions: Expos of 1969
I always want to know when hackers try to find a vulnerability, where do they start?

either way, $50K is peanuts for 55 issues on a company the size of Apple. They should have gave them $500K, if someone found those vulnerabilities people will be suing Apple like crazy.
 
JagRunner said:
ive been using CCs all over the place for decades. I’ve probably had ONE fraudulent charge In that entire Time. CC company took care of it swiftly.

It’s ok to come out into the real world. You’ll be ok lol
Click to expand...
Actually, I've had a spate of fraudulent charges over the years. Yeah, so it's nice not to worry about that with Apple. And if it does come to pass, I know it will be dealt with in a reasonable manner.

It's really ok, you're allowed to admit it's (the app store) a pretty good system.
 
69Mustang said:
Neither response is accurate.

They aren't stingy. The situation was fluid and still updating. Apple has thus far paid over $288K and reportedly could end up paying more than $500K. Hardly stingy.

The $50K would have hardly been the going rate for 11 critical vulnerabilities. Had it been $50K total, that would have been stingy for 55 disclosures. Since that wasn't the case, it's moot. When it's all said and done, Apple will have paid an amount that shows appreciation for the work done and incentivizes others to disclose to them instead of vulnerability brokers and 3-letter agencies.
Details at Ars: https://arstechnica.com/information...-of-internal-apple-network-get-288000-reward/
Click to expand...
Stratus Fear said:
MacRumors really should update this post. They've now received nearly $300k in payments. Apparently Apple does not pay in lump but in batches as they confirm and fix vulnerabilities.

Source: https://threatpost.com/3-month-apple-hack-vulnerabilities-critical/159988/
Click to expand...

This! Yes, I too, believe MR should update this article since new information has come out showing these researchers are getting way more money than originally stated. I applaud their work and I am happy Apple is compensating them appropriately.

EDIT: It appears MR has updated the article. Thank you!
 
Last edited:
  • Like
Reactions: Gasu E.
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back