826317
Cancelled
Where did I say that Apple cares about you?
Security Researchers Don't Think Apple Pays Enough for Bug Bounties
- Thread starter MacRumors
- Start date
- Sort by reaction score
Exactly. Typical Motherboard clickbait (which Macrumors happily swallowed).
Here's a hint: Security Researcher and wannabe cyber-criminal are NOT THE SAME THING.
An article that refuses to understand this point is a waste of everyone's time.
I think it comes down to this: Customers demand security as part of what they're buying with today's software. Companies like Apple have to decide how much to spend and where to spend it to achieve that security. Not all THAT long ago, if you wrote software, YOU were the one responsible for finding the bugs in it. It was exactly as secure of a product as you were able to make it as the developer, testing it internally.
These days, it's become such a "hot topic", you have all of these teams of "researchers" trying to break everyone else's code so they can claim "first to find a flaw" of whatever sort, and generally hoping to make big profits doing it.
I believe Apple was slow to admit that their own internal developments teams really couldn't find and fix as many security flaws as the competition did by utilizing these outside hackers/researchers. Now, they're changing their ways but it's still a slow, cautious process for them -- hence the unwillingness to pay as large of bug bounties as others promise to pay.
Personally, I'd rather see more care put into the initial products to be as bug-free as possible. I get the idea that the whole industry has moved away from that and more towards pushing new code out ASAP, to be patched down the road. But regardless? Securing one's code has a cost - either internally to the QA people and developers, or externally to the "researchers".
These days, it's become such a "hot topic", you have all of these teams of "researchers" trying to break everyone else's code so they can claim "first to find a flaw" of whatever sort, and generally hoping to make big profits doing it.
I believe Apple was slow to admit that their own internal developments teams really couldn't find and fix as many security flaws as the competition did by utilizing these outside hackers/researchers. Now, they're changing their ways but it's still a slow, cautious process for them -- hence the unwillingness to pay as large of bug bounties as others promise to pay.
Personally, I'd rather see more care put into the initial products to be as bug-free as possible. I get the idea that the whole industry has moved away from that and more towards pushing new code out ASAP, to be patched down the road. But regardless? Securing one's code has a cost - either internally to the QA people and developers, or externally to the "researchers".
Keirasplace
macrumors 601
The people who are saying this ARE THE BAD GUYS.
No real security researcher would sell a bad bug to some dark net third party for more money than Apple is paying.
It would be an ethically bankrupt thing to do and they wouldn't be trusted in the future.
The bounty is supposed to be a motivation to find bugs, paying the real security researchers enough to be worth their while. It is possible that Apple doesn't pay enough for those real security researchers to put in the extra effort and that's fine; it is a legitimate criticism.
But, if they find, or hear of a bug, not telling Apple is what criminals would do, not a respected researcher.
imicca
macrumors regular
oh my god...where I do even start? These bounties are not "a security researcher" or amatuer people who decided to play with iOS and perhaps find a bug to report for money.
A security bug that Apple values 200K probably costs more than a million dollars (in damages) if used to for an attack on personal data or anything illegal. This is not like a root access thing for jailbreak devs to try and find exploit for kernel.(these also cost some money and some ex-jailbreak devs were credited in security patch notes by Apple). We are talking about major things that can be sold, like WannaCry virus that was probably sold and activated because NSA did not report to companies about the potentially deadly exploit.
I have a very close internet-friendship with several developers as well as some hackers from across the world. And trust me when I say this, most hackers or devs who find exploits are in it for the money, for the highest bidder. There are so many morally bankrupt people in the dark web world that you would never believe.
A small secret for you: I talked with Cydia creator, Jay Freeman (saurik), and he told me that recently he got so many security reports on jailbroken iPhones that he personally wants to kill his own creation. (just google "Jailbreak is dead" and you'll find official public statements, not what I said)
I'd be pretty easy to convince someone to sell their exploit to a shell company, for example, or some other seemingly innocuous entity who is really representing less savory characters or governments.
[doublepost=1499458744][/doublepost]
I think most people are willing to do a little bit of evil, especially if the people being hurt are far removed, for a lot of money. The world has a "I'm gonna get mine" attitude about it, and it's easy to see why when some hedge fund manager makes a couple billion a year or some guy selling subprime mortgages to a client can rake in a couple million in bonuses.
Last edited:
Keirasplace
macrumors 601
All I hear is a lot of blah blah blah, from a community I know too well, of self serving mercenaries.
Almost all the NSA exploits were likely horded not only by the NSA, but by many foreign governments,
companies doing industrial espionage, dozens of different groups on the Internet of dubious motives, and your so called "security researchers". For each one you know about, there are 2-3 you don't know yet. Most are not thankfully severe though they can be if they can be chained.
I've got 30 years of computer engineering behind me and dealt with security for a hell of big part of that
I know what I'm talking about. I've been in contact with god damn lot of this crowd on both sides of the fence
(cause you have to befriend them, to beat them sometimes...) at various levels since the mid 1980s
when I first touched a Unix system.
What's to tell me they don't sell those exploits to many different people and then 1-2 months later report them
just as their value is about to go down (because eventually if enough people know about an exploit, it will get back to Apple or Microsoft) and double or Tripple dip.
I consider many of those people CROOKS and even BLACKMAILERS.
That's what my experience has taught me.
Apple's bounty is not targetted at most of these folks because they are not to be trusted.
There is no amount of money that will be high enough to make them trustworthy: this ship has sailed.
It is targetted at the smaller group that has a conscience and that believe they should be compensated fairly for their effort, but not more. It's possible that the current compensation is not seen as fair for those people's effort; but, that's has nothing to do with paying millions for bugs.
Last edited:
hotgril
Suspended
And to jailbreak, we end up having to download sketchy closed-source Windows-only made-in-China software. I miss redsn0w.
LordVic
Cancelled
No
I'm not against making profit, but damn does profiteering through others labour or illegal means really make me question exactly what basis of morality is in so many top corporate leaders mind
It's like they all read ayn Rande and decided they could drop out of business ethics 101 after hearing egoism and misinterpreting as Their own Ego
At some point when the leaders of your company have the mindset of being #1 at all costs is also worth sitting on 200b while still using effective slave labour. Willingly Knickle and dining your staff, paying the minimums where you can get away with. While also jumping through hoops to hide money from taxation, you reallly have to wonder just where modern leaders went so foul.
SteveW928
macrumors 68000
Yea, that seems to be the way things are headed.
I agree that this seems to be the irrational thinking of this age...
So, should we a) try to get people thinking again? b) start looking for some remote place to try and survive?
I think it's also due to a lot of community developed code being involved in nearly all software, and everything being Internet accessible. There are lots of eyes, but also a lot of hands involved. Security likely isn't at the forefront of most developers priorities or even knowledge.
We're becoming a dying breed, I guess.
It's called relativism, and as the sub-title goes for one of the books on the subject, 'feet firmly planted in mid-air.' It's all the rage these days.
2128506
macrumors 6502
Regarding "why pay millions to someone living in their basement and not working hard enough for it" comments.
What are you all, communists? It's how capitalism works - price is driven by demand. And it's not like Tim Cook works "hard enough" to justify multimillion salary, does he?
Apple is a for-profit corporation, which sells iphones by million. It's only logical that discovered vulnerability in mass-produced and very expensive devices should be worth literally millions.
When auto manufacturer screws up with something already on the market, it gets slapped with huge fines and is forced to perform a recall of tens of thousands of cars.
In some cases getting you information stolen by hackers is worse than a car crash, so it's only fair.
[doublepost=1499601345][/doublepost]
Yeah, because Apple is known to be a champion of good business practices and just generally being nice to everyone all around.
What are you all, communists? It's how capitalism works - price is driven by demand. And it's not like Tim Cook works "hard enough" to justify multimillion salary, does he?
Apple is a for-profit corporation, which sells iphones by million. It's only logical that discovered vulnerability in mass-produced and very expensive devices should be worth literally millions.
When auto manufacturer screws up with something already on the market, it gets slapped with huge fines and is forced to perform a recall of tens of thousands of cars.
In some cases getting you information stolen by hackers is worse than a car crash, so it's only fair.
[doublepost=1499601345][/doublepost]
Yeah, because Apple is known to be a champion of good business practices and just generally being nice to everyone all around.
Last edited:
SteveW928
macrumors 68000
There is a difference between value-derived/based pricing and extortion. (The latter has nothing to do with Capitalism.)
Keirasplace
macrumors 601
Ethics and being nice has nothing to do with each other, it is a false equivalence.
You use a lot of logical fallacies in your writings.
It's only worth million if you trust the person your paying of not selling your weaknesses to someone regardless (or selling it to them first and then later disclosing to Apple). If you can't trust them, you'll get hit regardless and they'll only feed you exploits that are close to being found out by Apple anyway.
Once people in that field are not to be trusted (many can be trusted); you don't pump money into their operation.
Trust and reputation is primordial here; otherwise your just dealing with a gang of crooks selling illicit crap from the back of a van.
Macintoshrumors
Suspended
Those rewards seem more than fair for sitting around looking for bugs.
imicca
macrumors regular
Well, I completely agree with you here. But I am confused. What did I say was wrong? I just don't know if you agreed with me or disagreed. hehe.
Keirasplace
macrumors 601
Ethics vs being nice. You can be "not nice" and still be ethical. What is considered nice is highly dependent on who you talk to, what society your in and various external factors. Some people equate not being a pushover to not being nice (basically being completely in their service).
Even ethically bankrupt people will be found perfectly nice by people that don't run afoul of their transgression.
imicca
macrumors regular
Your point being that I was not nice? Or not ethical?
I am still a bit confused. Although I agree with this quote as well.
Bacillus
Suspended
If they pay a ludicrous $200k (this is what Angela earns ehhh... should I say gets every 3 days) which is a fraction of the market value, this is all window dressing.
A "Look what we've done to improve our security"-like wannabe-goodguy excuse to be used if a great security scandal breaks out.