Security Researchers Unhappy With Apple's Bug Bounty Program

[Sophisticatednut]

All I hear is "whine whine whine, boo hoo cry cry cry"

Lol, sounds like a you problem.
And Sounds like you love to have an unsafe apple devices. I guess we will continue to see Pegasus exploits being sold and grave stone devices manufactured and sold to criminals and governments alike.

 

[seanoo]

Thi

At this point I can accept no excuse or justification from apple for why it isn’t paying best in class bounties.

Slow to scale excuses arguments? Ridiculous.

Smaller than industry rewards? It’s literally a marketplace of exploits. Not every hacker is a white hat. Some are beyond US Justice, others it takes years to catch. When Apple isn’t the first stop for exploits, in such cases the damage is done by the door one the holes are closed and the crooks caught.

For God’s sake, people have literally died and been hacked into pieces because of unpatched Apple bugs.

And in the meantime Apple wants us to put our medical histories and identification in our devices…

Yes we can blame NSO and FSB etc, but they are finding what is already there. There is no reason Apple couldn’t find most of it first if it doubled down on this.

Apple is the richest company in the history of humanity. There is no traditional business barrier to Apple doing what it needs to here.

Not able to run a robust bug discovery program that draws the best and most submissions (and conversely staffing internally to handle these)? Apple is fully able.

There is no reason that the above can’t be solved. And at this point is only because of perceptual and cultural lag, possible arrogance, clear lack of CEO priority, and definite CFO cheapskatedness.

I might add it’s pretty glaring that attention and resources are lacking here even as Apple instead builds proof of concept golden keys inviting state coercion to expand their CSAM intrusion into other areas…

This is the best concise take on Apple’s security policy I’ve read in ages. Preach.

 

[nt5672]

Who isn't unhappy with Apple lately? Rough year for the McIntosh.

All of which is self inflected.

 

[H3LL5P4WN]

That sounds like an apple problem. Why should I give apple information about a bug if it’s easier and more profitable to just give it to anyone else. Why waste my time with apple if they aren’t interested ?

Sounds like I struck a nerve.

 

[MacBH928]

hack Apple then expose them, and they will pay a lot for PR fixes

 

[I7guy]

One thing Apple could do is to setup a subsidiary for security research and hire full time individuals.

 

[carlsson]

Who isn't unhappy with Apple lately? Rough year for the McIntosh.

Still its' stock value was all time high two days ago....

Regarding bugs I have been a beta tester for many years now, and my feeling is that the betas have been buggier for every new release. Maybe a coincidence with the security bugs, but still...

 

[0924487]

Looks like the hackers are moving towards an extortion business model.

If you know anything about the tech world, the default for finding an exploit is to sell it on the dark web. People only get paid for finding something useful, once they do, they expect to be paid handsomely.

 

[falkon-engine]

So people are learning that Apple is taciturn and secretive. Color me surprised.

 

[0924487]

One thing Apple could do is to setup a subsidiary for security research and hire full time individuals.

You can’t do that, hackers working for clocks will yield nothing.

 

[falkon-engine]

Microsoft is quick to patch things, often moving the problem, but never really making their software better.

Windows 11 seems better than windows 10.

 

[Robert.Walter]

Then they aren't security researchers, they're greedy neckbeard ******s.

When you start working for free maybe we’ll take your comment here seriously.

 

[0924487]

At this point I can accept no excuse or justification from apple for why it isn’t paying best in class bounties.

Slow to scale excuses arguments? Ridiculous.

Smaller than industry rewards? It’s literally a marketplace of exploits. Not every hacker is a white hat. Some are beyond US Justice, others it takes years to catch. When Apple isn’t the first stop for exploits, in such cases the damage is done by the door one the holes are closed and the crooks caught.

For God’s sake, people have literally died and been hacked into pieces because of unpatched Apple bugs.

And in the meantime Apple wants us to put our medical histories and identification in our devices…

Yes we can blame NSO and FSB etc, but they are finding what is already there. There is no reason Apple couldn’t find most of it first if it doubled down on this.

Apple is the richest company in the history of humanity. There is no traditional business barrier to Apple doing what it needs to here.

Not able to run a robust bug discovery program that draws the best and most submissions (and conversely staffing internally to handle these)? Apple is fully able.

There is no reason that the above can’t be solved. And at this point is only because of perceptual and cultural lag, possible arrogance, clear lack of CEO priority, and definite CFO cheapskatedness.

I might add it’s pretty glaring that attention and resources are lacking here even as Apple instead builds proof of concept golden keys inviting state coercion to expand their CSAM intrusion into other areas…

Most are impossible to catch. A lot of them are selling them to white-gloved NSA labs.

 

[Robert.Walter]

Looks like the hackers are moving towards an extortion business model.

Can’t extort what doesn’t exist or what has already been found and fixed.

 

[0924487]

If they feel Facebook and google pays better, then that's where they should spend their time, not Apple. There are plenty of researchers willing and able to research Apple software. Those who don't like the terms can easily go elsewhere. No one is making them work on Apple software. This is not rocket science. It's called a free market.

No, the amount of people working on hacking iOS will not change based on Apple’s bounty programs or the lack thereof. The only difference would be where the exploit is going.

 

[hans1972]

Their time and efforts need to be paid somehow. Those “researchers” choice might be debatable but Apple is definitely here to blame.

"with those researchers instead selling them to customers like government agencies or companies that offer up hacking services."

It makes them morally corrupt human beings worthy of condemnation and ostracising.

 

[cpfoto2005]

You clearly aren't in that field because that is how they work. So thanks for playing the game of showing how ignorant your viewpoint is.

I didn't say I was a security researcher. I just wrote what I do as a freelance designer.

But I do get a chuckle with how bold you are with your reply as you hide behind the anonymity of the web.

 

[Robert.Walter]

Most are impossible to catch. A lot of them are selling them to white-gloved NSA labs.

Highest bidder market?

Apple has the resources of a nation state.

A good carrot (fat rewards) & stick (working with DOJ to run down crooks and make the fat rewards look appealing) policy would go far.

 

[0924487]

Here‘s a revenue neutral proposal: deduct what’s paid out in bug bounties from the payroll of the team responsible for that portion of code. Add a little stick to the carrot.

Then no one would work for Apple.

Bugs are inevitable part of Software Engineering. Without immunity to financial and legal liability beyond tort law, no one would work for Apple. Even then, most high profile Professional/chartered Engineers have professional liability insurances.

 

[hans1972]

When you start working for free maybe we’ll take your comment here seriously.

If you start doing work without securing someone will pay for your work, you're taking a risk. It's a business decisions they make and if this market isn't good enough for them they could go elsewhere.

Restaurants seems to be looking for people many places in the world.

 

[Robert.Walter]

Here‘s a revenue neutral proposal: deduct what’s paid out in bug bounties from the payroll of the team responsible for that portion of code. Add a little stick to the carrot.

Worst proposal on this forum. It would only guarantee more apple bugs because the best and brightest would go work where such short sighted draconian policies are not in force.

 

[villagehiker]

…instead selling them to customers like government agencies or companies that offer up hacking services…

Says everything we need to know about the researchers.

Microsoft pays out more because…

 

[Robert.Walter]

If you start doing work without securing someone will pay for your work, you're taking a risk. It's a business decisions they make and if this market isn't good enough for them they could go elsewhere.

Restaurants seems to be looking for people many places in the world.

You fail to realize that someone will pay. Someone will always pay. Even if it is not apple. That’s the crux of this whole debate.

 

[vladimirc]

don't we all love it when apple, the largest corporation in the world with the largest margins in the industry, is stingy with security researchers?

 

[Shreducator]

What I don’t like about the Apple cult is everyone puts on horse blinders and pretends Apple has perfect security. That’s far from reality.