Security Researchers Don't Think Apple Pays Enough for Bug Bounties

[manu chao]

They should up it ten times, yes - and then the tax-payer should compensate them.
Because the government has created this very market and could shut it down any time, if they wanted to.

You mean like it could shut down any other market involving criminal actors, like the drug trade, if they wanted to?

Yes, the government could probably lower prices by stopping to buy any vulnerabilities. They could make it more criminal by not participating. But they could not shut it down the same way the cannot shut down the market for other illicit goods like drugs.
[doublepost=1499387042][/doublepost]

It doesn't work that way. If Apple raised the bounty, they would just get in a bidding war with each new bug that is found as security researchers, criminals, intel agencies, etc., would just announce that they would pay more. Apple set a reasonable bounty for someone who wants to work with them; there is no practical or sensible way to try and outbid others every time someone finds bug.

Apple could in principle probably raise prices so much that most criminals would refrain from buying because the reward for investment ratio is too low.
[doublepost=1499387219][/doublepost]

Make selling vulnerabilities to third parties illegal and that will change the balance.

That worked so well in the drugs trade.

 

[Meandmunch]

Companies like apple with such importance on security and reliability should be paying obnoxious bounties on bugs and security flaws. In the process you might turn a few more hackers into champions of good.

 

[manu chao]

Clearly you don't know what a security research firm is. There are lots of companies these days that make all their profit by simply getting their employees to find bugs and report them to a company that pays up Facebook, Google, Apple, etc. It can sometimes take several months to find out how to reproduce a bug. So $200,000 for the worst kinds of bugs, honestly may not be enough for a company trying to pay salaries.

Indeed, this is not just about outbidding black hats, it's also about incentivising white hats to even spend enough time on Apple software.

 

[Stella]

One word: "ethics".

So, this Modern security Research businesses are spending millions in highly trained researches, such as yourself or the ones you described, so that they can find a bug and then decide: Do I sell this to Apple for $200k, or the the bad guys for $millions? Is that the purpose of these Modern Security Research Businesses? Honestly, it sounds more like Tech Crocks

 

[Pike R. Alpha]

This shows you how much your data is actually worth ($25.000). Yup. Not even a cent per device. No wonder that hackers opt for other channels. Which doesn't mean bad news for you. No. But in the end it is all Apple's fault. It's their bug, their bug bounty program, and the way how they handle it. Your data should be worth 1m at the very least.

 

[MRrainer]

You mean like it could shut down any other market involving criminal actors, like the drug trade, if they wanted to?

I believe this is true.
The drug trade could be shut down. But there is enough evidence that the big players are, again, nation-states or nation-state backed.

Yes, the government could probably lower prices by stopping to buy any vulnerabilities. They could make it more criminal by not participating. But they could not shut it down the same way the cannot shut down the market for other illicit goods like drugs.
[doublepost=1499387042][/doublepost]
Apple could in principle probably raise prices so much that most criminals would refrain from buying because the reward for investment ratio is too low.

You forget that the "criminals" are often other nation-states (or companies more or less directly sponsored by nation-states in the sense that nation-states are their customers).

I can understand that Apple does not want to touch that world with a barge-pole.

 

[Wowereit]

The prices don't seem bad, and in fact seem pretty generous. I googled some other tech companies payouts and they are no where near Apple's.

Facebook claimed their largest payout ever was just $33,500. A bug that was reported that could unlock any user's account received just $15,000.

Microsoft's top payout is $30,000 with Google (apps such as gmail or YouTube specifically, not Android) just slightly up from there at $31,337. Unrestricted file system access that can lead to a google account takeover receives a max of $13,337 from Google.

For the Android part of Google, the top amount is $150-200k which is more on par with Apple.

I think the underground market will always pay more no matter what price Apple sets.

It does make perfect sense.
The most important customers for exploits in the six to seven figure marketplace are intelligence services.

What do they need?
a) access to some online accounts, which they get from MS, Google, Apple, Facebook etc. anyway?
b) a way to access encrypted data which even manufacturers themselves can't get access to?

Find a feasible way to break AES and you will easily make 8 figures.
It's all dictated by supply and demand and the buyer's budget.

 

[drewyboy]

Seems a fair amount. How much are they supposed to pay a bunch of guys in their jammies in their parents basement with one hand in their pants?

Enough to not cause major issues for hundreds of millions of users.
[doublepost=1499390527][/doublepost]

Well if you do anything other than report it directly to Apple you're per definition a bad guy. As for the compensation, nobody made you mess around with Apple's systems, you decided to put your own time into it. So if you sell it to a bad
guy, it shows your morality and that you couldn't care less....

Oh please, get off your high horse. I don't buy this bull that apple cares about me and it does what is "right". It wants my money, plain and simply. It wants to make as big of a return to its investors, it's their job.
[doublepost=1499391147][/doublepost]

Let that sink in: your security is worth no more than $200K.

No, not your security. Hundreds of millions of users security. Let THAT sink in.

 

[SteveW928]

It isn’t about being a bad guy its about being compensated for your work. How much is your time worth? Would you sell it short just because it is the ‘proper’ channel? Most wouldn’t.

How many hours of code and research is involved (on average)? If your only metric is 'how much can I possibly get' and morality isn't an issue, doing the wrong thing will almost always win.

 

[OneMike]

Isn't this pointless though, I mean, if the person who found the bug is a bad guy he's not going to report it to Apple regardless.....

The more you pay the better quality ethical hackers you'll have trying to break your stuff. Thus the less chance for the actual bad guy will find anything

 

[Urban Joe]

Sorry but this is too easy. Apple doesn't pay enough for ANYTHING. They want deep/steep discounts for everything they buy and ridiculous premiums for everything they sell. Apple needs to be squeezed instead of squeezing EVERYBODY else.
[doublepost=1499392805][/doublepost]

Make selling vulnerabilities to third parties illegal and that will change the balance. Or, if you sell a vulnerability to a third party and that third party either exploits it or passes it onward to someone else that does, you are held liable for damages caused.

Good idea but real life isn't that simple.
[doublepost=1499393044][/doublepost]

How many hours of code and research is involved (on average)? If your only metric is 'how much can I possibly get' and morality isn't an issue, doing the wrong thing will almost always win.

Right. You're not dealing with a perfect world. Last I checked morality is pretty out of fashion. Apple certainly doesn't do anything for anybody for so cheap (in relative terms). It's like their mantra is "I think, therefore YOU pay"

 

[V.K.]

This is a supply and demand issue. Apple should pay the market prices (whatever they are), else the researchers will sell to other parties as the are doing now.

 

[macfacts]

Well if you do anything other than report it directly to Apple you're per definition a bad guy. As for the compensation, nobody made you mess around with Apple's systems, you decided to put your own time into it. So if you sell it to a bad
guy, it shows your morality and that you couldn't care less....

White hat hackers can sell to security companies or police. There are other buyers besides "bad guys".

 

[Quu]

Apple is offering $200,000 for a total ownage of the device from a website or text message vector. You could get realistically 1 million to 2 million dollars for the same vulnerability from a third party. That is the issue here.

You sell one vulnerability on that scale to an arms dealer and they will turn around and resell it to all the governments of the world to make back their investment. Apple is not competing enough for these huge bugs and it will only come back on them when we have more NSA / CIA leaks which indicate what bugs they knew about (or purchased) without reporting them to Apple.

 

[Bacillus]

This is a supply and demand issue. Apple should pay the market prices (whatever they are), else the researchers will sell to other parties as the are doing now.

Agree, if you look at financial compensation, there is this total misconception/-compensation of intellectual accomplishments at Apple (and so many other companies)
Compare salaries of people that decide about wooden tables at AppleStores with software safety engineers...

 

[Chicane-UK]

Isn't this pointless though, I mean, if the person who found the bug is a bad guy he's not going to report it to Apple regardless.....

I think the days of laughing at basement dwelling geeks are over.. it's been repeatedly proven that there's plenty of them who are capable of bringing entire companies to their knees.

 

[MacsRgr8]

One word: "ethics".

Problem is, that is a personal thing.

Selling to the US government should arise its own topic over here on MR forums, ethic or not?

 

[KeanosMagicHat]

White hat hackers can sell to security companies or police. There are other buyers besides "bad guys".

I don't see that as "white hat" as per a previous post of mine in the thread.

If the hacker sells to those companies or law-enforcement then Apple loses out on its right to make a decision as to who can "exploit" their software.

As a result, all of us that care about the security of our devices lose out as well.

 

[joueboy]

Make selling vulnerabilities to third parties illegal and that will change the balance. Or, if you sell a vulnerability to a third party and that third party either exploits it or passes it onward to someone else that does, you are held liable for damages caused.

Is there actually a law for this? Vulnerability is there it's not something the bounty hackers created. If somebody is willing to pay more maybe you have to document then disclose everything about tbe vulnerabilities. Then hand down the responsibilities to them. When iOS jailbreaking was at its peak that's how some hackers handled it. And I don't remember any of them got in serious trouble.

 

[Stella]

Personal thing? Selling vulnerability knowledge to a "hacker group" or back to the original creator.

Isn't it a bit clear cut?

Selling to US government - yup a grey area?!!

Problem is, that is a personal thing.

Selling to the US government should arise its own topic over here on MR forums, ethic or not?

 

[RogueWarrior65]

So who exactly are these people selling the bugs to if they're not selling them to Apple and how much are those people paying?

 

[manu chao]

I believe this is true.
The drug trade could be shut down. But there is enough evidence that the big players are, again, nation-states or nation-state backed.

Yet not a single state on Earth has managed to do so. Moreover, your belief in the omnipotence of governments (or any powerful group or entity) is as adoring as it is almost criminally naive.

 

[imicca]

This is very big problem that Apple faces. This is why bad hackers and virus/malware/spyware/ransomeware creators would benefit. Apple needs to pay more than "the bad guys".

 

[SecuritySteve]

So, this Modern security Research businesses are spending millions in highly trained researches, such as yourself or the ones you described, so that they can find a bug and then decide: Do I sell this to Apple for $200k, or the the bad guys for $millions? Is that the purpose of these Modern Security Research Businesses? Honestly, it sounds more like Tech Crocks

It doesn't always work out that vulnerabilities are sold to 'crooks' or malicious actors OR the vendor. There are many third parties that have legitimate business needs. One such example is the Zero Day Initiative (also known as ZDI). Look them up if you're interested on what a good model of a firm that purchases the work of security researchers.

 

[Neepman]

I've been reading some of the comments here, as a new security researcher I find that some of your comments are victim of misconceptions that might be easily cleared up with some insight. For example:



For one, you might've been right if we were talking about security research from 20 years ago, when it wasn't taken so seriously. However, modern security research is a business in and of itself. It takes a lot of knowledge and training, but more importantly it takes resources. Most external security researchers will not have access to the source code of these applications or OS features that they are probing for vulnerabilities.

Most groups that actively search for vulnerabilities apply techniques like 'fuzzing' where they dedicate hardware to constantly throw input at an application or API until it breaks, and then the researcher figures out if that break is exploitable. These breaks appear in the forms of application crashes and kernel panics. Most kernel level vulnerabilities would sweep the top of the bounty range, since that would allow for access to a system beyond that of an administrator or super user. Getting back to the point, Apple Hardware does not exactly come cheap, and to compete with a lot of the top end researchers like Google's Project Zero, you're going to need a significant investment to even get started.

When any company considers how much to pay out, the company must analyze how frequently bugs are going to be discovered that are significant enough to be rewarded, how much a vulnerability in this particular application or device would be paid for to malicious actors, and what damage to the company would a complete outbreak of an exploit targeting your product would cause to the company's image. If vulnerabilities are going to be frequent, its best to not offer a bounty and to have a team work in-house to discover them - because you will be flooded by submissions from amateur researchers grabbing low-hanging fruit. If vulnerabilities are going to rare and deal high damage to the company's image, as is in Apple's case which champions their security, then the payout needs to be significant enough to compensate researchers for their investment of both time and resources.

I hope this clears things up for readers.

Humor. Try it on for size sometime.