Security Researchers Unhappy With Apple's Bug Bounty Program

[Soba]

[F]ormer and current Apple employees said there's a "massive backlog" of bugs that have yet to be addressed.

It's pretty obvious from using Apple software that this problem extends beyond security bugs. Submitting bugs or feedback to Apple is seldom fruitful and submissions almost always go unacknowledged. Many reproducible bugs go unaddressed even across multiple major releases of macOS.

I don't work for Apple and I don't pretend to know what the problem is, but it's becoming more and more apparent that Apple's current engineering and QA practices are not working well for them or for their customers.

 

[rodavilla]

Their time and efforts need to be paid somehow. Those “researchers” choice might be debatable but Apple is definitely here to blame.

If they feel Facebook and google pays better, then that's where they should spend their time, not Apple. There are plenty of researchers willing and able to research Apple software. Those who don't like the terms can easily go elsewhere. No one is making them work on Apple software. This is not rocket science. It's called a free market.

 

[mannyvel]

Security is really just one factor that needs to be considered during development.

People freak out about security a lot, but then they have a $5 lock on their front door that's like ANSI-3 (which covers everything from a latch to you need like a key).

At some point you need to prioritize. Just because it's an exploit doesn't mean it needs to be fixed immediately...or that it's worth as much as the researcher thinks it's worth.

 

[ruka.snow]

People seeking bug bounties are a pain in the backside. Before we did an official program, we had daily reports from people finding 'bugs' and wanting paid for their unsolicited efforts. Now that we have a program, they get annoyed that someone else found the bug first.

 

[cpfoto2005]

If Apple isn't paying researchers the amount agreed upon for bugs already submitted, that's one thing.

But as someone who makes a living freelancing, if I don't like the pay or terms of working on a project, I don't work with a company. I have stopped working with a number of clients over the years because of these types of issues. It sucks having to look for new clients, but that's one of the drawbacks of being a freelancer—a profession that I willingly chose.

 

[The Phazer]

It’s very simple. If you don’t like the way Apple does it then don’t find their bugs. Eventually there will be some bad exploits and Apple will start paying more for the good guys to find their flaws.

There are already a few serious unpatched exploits.

 

[cpfoto2005]

How many of you waste hundreds of hours doing what is basically your fulltime job without getting paid?

I don't. As a freelancer, I don't do any work on spec.

 

[Scotticus]

None of us are aware of what is being submitted and if it is of any value. This is basically another attempt to raid Apple's wallet just like everyone else who is complaining.

If the system is so bad, just like the App Store is, then quit submitting bugs. Same goes for the App Store...stop developing products for it.

Lol, wut

So you want researchers to stop finding bugs for the products you buy? This is the definition of cutting off your nose to spite your face.

 

[dguisinger]

It's pretty obvious from using Apple software that this problem extends beyond security bugs. Submitting bugs or feedback to Apple is seldom fruitful and submissions almost always go unacknowledged. Many reproducible bugs go unaddressed even across multiple major releases of macOS.

I don't work for Apple and I don't pretend to know what the problem is, but it's becoming more and more apparent that Apple's current engineering and QA practices are not working well for them or for their customers.

The most annoying MacOS bug is the one that convinces me to never reboot because it becomes a pain. I do want my apps to open back up where I left off, thats great. What isn't great is it seems to not know which apps I had open, and has been stuck opening apps on boot that I haven't used in years. And I've seen plenty of reports that I'm not the only one, yet several MacOS releases later, Apple is still only concerned about stupid things like making buttons bigger and more iOS like.....

Tim Cook couldn't be bothered to have anyone in the rotting apple fix a bug if his life depended on it.... so full steam ahead with a car no one will buy

 

[Kkspire]

Who isn't unhappy with Apple lately? Rough year for the McIntosh.

People that are not complaining on the internet. So basically, everyone else is love their stuff. And it will be a shocker to haters when they sell a gazillion devices. Each year, rinse and repeat.

 

[dguisinger]

I don't. As a freelancer, I don't do any work on spec.

You clearly aren't in that field because that is how they work. So thanks for playing the game of showing how ignorant your viewpoint is.

 

[Konigi]

Apple used to have a huge lead in that field. It was part of the brand 10-20 years ago or so. People bought Apple's technology because it was more secure. Now they're losing it.

Moreover, with the marriage between hardware and software, and releasing a limited number of device models, it should be even simpler to keep track of what goes wrong. Yet, they've almost been outpaced and the gap is widening.

I really hope they can get back on track. Hire twice as much devs to clean the mess. Team up with hackers who are showing an interest in improving the products. Everyone will benefit! It's not that expensive at all when you're a a thousand billion dollar company.

 

[_Spinn_]

Bug bounty programs are a great idea and security researchers should be paid a fair price for their efforts. Apple is definitely lagging the industry here.

 

[tonywalker23]

Last summer I found a way (bug or unintuitive OS handeking ¯\_(ツ)_/¯ ) for another user on a Mac to access files on a protected drive without having the other users password. To me, that seemed very bad.
I contacted apple security. Process lasted several weeks. Phone calls. Emails. Pictures and videos of the whole thing. Did everything they asked. I never asked for anything and I spent several hours in this whole ordeal. At the end I mentioned the bounty program. I was told a simple ‘solution’ to not allowing users access data which was an insult. I was offered nothing in return for my time or showing them how one could in the right circumstances get the data, they stopped replying to me emails.
I tried to do it the ethical way by going straight to them, I didn’t demand anything, and I only brought up the bounty after weeks of working with them. I got nothing. Nothing.

having used Macs since 2003, and working at an apple store when a new store opened in 2010, this single event put a sour taste in my mouth. I’ve seen people walk out of my store with entire new devices, yet when I returned to that store years later I got back a damaged iMac and basically sorry. And this encrypted drives thing above. Those two combined were very demoralizing for an apple fanboy and former employee.

 

[justperry]

I am aware there's a limit on payments to security researchers, but, I do think Apple needs to spend a heck more than a paltry few million.

 

[Wildkraut]

They should simply start selling these security holes to scammers, this is more profitable. It’s worthless being a white hat hacker trying to help Apple, seems like they don’t care and don’t want. Apple just cares for profit and these „security researchers“ should put profit first, too.

 

[Robert.Walter]

I think security-through-obscurity, as Apple tries to do, is an unsustainable security strategy. It leads to more zero day exploits and unpatched vulnerabilities.

Worse, it depends on near perfection from Apple's developers and QA team. It's pretty bloody obvious that Apple has been shipping software with glaring technical, security, and UI flaws for years now so perfection is clearly unattainable for Apple.

So, come on Apple! Pay up. It will better for everybody.

STO has been a fools gamble for years now. Any company the size of Apple that might practice it as a policy is committing malpractice.

That said I’m not sure that’s what apple is doing.

Nobody expects perfection from people, only a robust best in class detection and remediation/mitigation system.

 

[Sophisticatednut]

Then they aren't security researchers, they're greedy neckbeard ******s.

That sounds like an apple problem. Why should I give apple information about a bug if it’s easier and more profitable to just give it to anyone else. Why waste my time with apple if they aren’t interested 😂

 

[Sophisticatednut]

If they feel Facebook and google pays better, then that's where they should spend their time, not Apple. There are plenty of researchers willing and able to research Apple software. Those who don't like the terms can easily go elsewhere. No one is making them work on Apple software. This is not rocket science. It's called a free market.

What are you talking about? They just give the bugs to the government instead or anyone else willing to listen and compensate.

it’s literally the free market, apple can just be happy that they actually have the courtesy to tell apple they suck as they laugh all the way to the bank after a fat check from the government

 

[jimbobb24]

Alternative title: “Some people complain about their job”

Once you back away and see it as that this is not an exciting story. I don’t have a dog in this fight- I just think assuming one side has the high ground is silly. They can both be wrong or right.

 

[Sophisticatednut]

Alternative title: “Some people complain about their job”

Once you back away and see it as that this is not an exciting story. I don’t have a dog in this fight- I just think assuming one side has the high ground is silly. They can both be wrong or right.

Eh no, apple is 100% in the wrong here.
These researchers aren’t employed by apple. They give apple information about Biggs out of their own good will and compensation from apple. Nothing stopes them from selling the bugs to anyone else.

they are just nice enough to complain to apple that they want to be their customer but unless apple changes they will go elsewhere on apples expenses.

 

[cupcakes2000]

Apple is the richest company in the history of humanity. There is no traditional business barrier to Apple doing what it needs to here.

Erm. No it isn’t. You guys don’t half like to make big statements devoid of fact. It’s currently an extremely rich company, but some of the companies in ‘the history of humanity’ [sic] made vastly more money. Do better research before making embarrassingly embellished claims.

 

[Analog Kid]

Here‘s a revenue neutral proposal: deduct what’s paid out in bug bounties from the payroll of the team responsible for that portion of code. Add a little stick to the carrot.

 

[ss2cire]

All I hear is "whine whine whine, boo hoo cry cry cry"

 

[Naraxus]

Apple nickle & diming once again.....