Took Apple a long time to establish a bug bounty program and they probably only did so as the bad press reports were mounting.Exactly. Well put. That’s why, knowing there’s no such thing as an unhackable mainstream OS, Apple now has a bug bounty program, paid them quickly, and promptly remediated the bugs they found. I would’ve had the same comment.
Well... they didn't exactly make very much money from Apple. There are many companies in existence whose entire business model is selling 0-day exploits to the highest bidder. In some jurisdictions that's called racketeering or organized crime as opposed to a business plan, but <shrug> relocate to a jurisdiction that's fine with it and doesn't care.I, too, am glad they reported some, but we don't know that they reported them all though. They might have found 56 and sold the last one to someone willing to pay much more since it was more significant.
Or they might have found 55 out of 60 in the area they were looking, and someone else (e.g. NSA, FBI, CIA, Russia, China, UK, Germany, Australia, NK, Cuba etc) could have found another 5.
It is great they are seemingly white hat hackers and reporting them responsibly, but no one can say that with any certainty.
For black hat hackers, this would be a perfect cover. Find a bunch of bugs, report them, to get access to the special phones. Use that special access to keep reporting 99% of the ones found, while keeping the last 1% of significant bugs for sale to the highest bidder (anonymously of course).
1 - yes, they took longer than they should’ve[1] Took Apple a long time to establish a bug bounty program and [2] they probably only did so as the bad press reports were mounting.
Bug bounties are not typically proportional to corporate net worth. They have going rates, with zero-day exploits being the most valuable.Pretty stingy for a trillion dollar company.
They aren't stingy. The situation was fluid and still updating. Apple has thus far paid over $288K and reportedly could end up paying more than $500K. Hardly stingy.Pretty stingy for a trillion dollar company.
The $50K would have hardly been the going rate for 11 critical vulnerabilities. Had it been $50K total, that would have been stingy for 55 disclosures. Since that wasn't the case, it's moot. When it's all said and done, Apple will have paid an amount that shows appreciation for the work done and incentivizes others to disclose to them instead of vulnerability brokers and 3-letter agencies.Bug bounties are not typically proportional to corporate net worth. They have going rates, with zero-day exploits being the most valuable.
Apple is vastly under compensating these researchers. They should be getting bonuses 10x as large as they do.
By being cheap, Apple risks some researchers selling their discoveries to malicious 3rd parties.
If you read the post above yours and clicked on the link, you wouldn’t be so quick to criticize Apple. But carry on.Five guys, three months, fifty thousand dollars. I hope these guys didn't quit their day jobs.
Imagine how bad it would be if one had to give their cc all over the net and vulnerabilities were never patched at these multiple third parties. 😂What are all the people that only trust Apple with their CC information going to do now that they know Apple isn’t perfectly secure? 🤣
wow. just glad they (hackers) reported it to apple so they (apple) could fix the vulnerabilities.
Five guys, three months, fifty thousand dollars. I hope these guys didn't quit their day jobs.
Imagine how bad it would be if one had to give their cc all over the net and vulnerabilities were never patched at these multiple third parties. 😂
Yeah, imagine wanting to spend more time reconciling the charges than needed. But if it’s your desire to spread the wealth, charge around, give hour cc to multiple unknown third parties...I’m sure android can accommodate you.imagine being scared to use your card outside the Apple App Store.
Yeah, imagine wanting to spend more time reconciling the charges than needed. But if it’s your desire to spread the wealth, charge around, give hour cc to multiple unknown third parties...I’m sure android can accommodate you.
Actually, I've had a spate of fraudulent charges over the years. Yeah, so it's nice not to worry about that with Apple. And if it does come to pass, I know it will be dealt with in a reasonable manner.ive been using CCs all over the place for decades. I’ve probably had ONE fraudulent charge In that entire Time. CC company took care of it swiftly.
It’s ok to come out into the real world. You’ll be ok lol
Neither response is accurate.
They aren't stingy. The situation was fluid and still updating. Apple has thus far paid over $288K and reportedly could end up paying more than $500K. Hardly stingy.
The $50K would have hardly been the going rate for 11 critical vulnerabilities. Had it been $50K total, that would have been stingy for 55 disclosures. Since that wasn't the case, it's moot. When it's all said and done, Apple will have paid an amount that shows appreciation for the work done and incentivizes others to disclose to them instead of vulnerability brokers and 3-letter agencies.
Details at Ars: https://arstechnica.com/information...-of-internal-apple-network-get-288000-reward/
MacRumors really should update this post. They've now received nearly $300k in payments. Apparently Apple does not pay in lump but in batches as they confirm and fix vulnerabilities.
Source: https://threatpost.com/3-month-apple-hack-vulnerabilities-critical/159988/