Sure. But meaningless drivel.
1: nobody cares about their morals and 100% of people will laugh at you for trying to ostracize people on a sellers market.
2: money talks, moral walks.
You literally get what you pay for
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Security Researchers Unhappy With Apple's Bug Bounty Program
- Thread starter MacRumors
- Start date
- Sort by reaction score
1: nobody cares about their morals and 100% of people will laugh at you for trying to ostracize people on a sellers market.
2: money talks, moral walks.
You literally get what you pay for
Why? It’s just intelligence trading. It’s only morally corrupt for Apple to not be the highest bidder.
Yeah, we’ve noticed. For years. Things at Apple are not what they used to be. Especially on the Mac side of things. The question is.......why?
The free market baby. If you give me 100$( and you have hundreds of billion in the bank laying around) for your bug in your crappy software, and the government, random company pays me 1.000$. How is it slimy for me to go to the ones actually showing interest?
$3.7m paid out for exploits is chicken feed. Especially given the damage a single exploit could do. I wouldn't be surprised if many security researchers sell their ZDE on the dark web instead given how little it seems Apple is paying out. How much would China or Russia pay for an exploit to Apple's software?
Why are they spending hundreds of hours of their own time then? If you are not agreed with apple payment, stop working. Oh… Or maybe they want money even if it’s against Apple. Hmm…
Most folks, including the author, seem to have missed that this is a meaningless statistic without a denominator. Maybe Apple paid half vs Google and ¼ vs Microsoft because security researchers have found half the number of bugs vs Google and ¼ the number of bugs vs Microsoft.
What else? Time to pay? Maybe they lag, but according to a security researcher quoted in the WP article, “I think they’re aware of how they’re seen in the community, and they’re trying to move forward.”
What else? Time to fix? That affects end users, not bug finders. Might disincentivize them a little, but I’m sure they care more about getting paid.
Researchers being unhappy with Apple's security posture, is about the same as someone claiming that "water is wet".
Having personally reported an observed bug in Apple's OpenSSH implementation, and reported it, and having had Apple subsequently closed it as a duplicate bug, and then only having seen it actually *fixed* two years later, with 0 attribution (either to me, or whomever apparently had previously reported it hence it being closed as a duplicate)? Yeah, that stings. Albeit, that was before they had a bug bounty program, so it wasn't as if it hurt materially. It was more: wow, it took you two years to patch that, and I wasn't even the first person to bring it to your attention? Geeze you rest on your laurels something awful!
Though I personally, could care less about bug bounty programs, which in my humble opinion negatively incentivize the field of research.
Full disclosure: I know Katie Moussouris personally. She and I do not see eye to eye on bug bounty programs. She advocates for such things, so seeing her outspoken here is also no surprise. In my personal opinion, I think bug bounties are like giving safe haven and sponsorship and potentially even ammunition to your sworn enemies, when you probably had a bunch of paying customers and maybe even some internal engineers already ringing alarm bells that were being ignored as the roof sprouts yet another leak.
Nonetheless, bug bounty programs do now exist in the industry, against all better judgement. Apple was late to implement such a thing, but many organizations which ship code used by swaths of users, still have nothing in such realms. IMHO, such organizations are better for it, but they probably also don't have hundreds of billions of dollars in cash as Apple does, and thus are not likely to be detracted for their lack of bug bounty programs by individuals who would choose to manipulate the market to their world view.
Maybe I should also mention that I am friends with a number of individuals who were part of MoAB (Month of Apple Bugs) wherein every day, for 30 days, a new Apple exploit was disclosed.
Albeit, that was not for monetary gain! That was also, long before Apple had a bug bounty program.
That was mostly to hammer home a point against Apple fans and Daring Fireball sorts of dip it.sh types who claimed that legitimate security researchers were not disclosing legitimate findings.
I don't recall if Daring Fireball ever issued an apology to Johnny Cache nor David Maynor, but I do recall that Apple issued a number of patches to address the exploits disclosed in MoAB.
If researchers are in this field to make money, they picked the wrong industry.
The billionaires in tech are more often than not, egregious robber barons, claiming spoils for others' creations. Bill Gates did not invent BASIC, he monetized it. Bill Gates did not write MS-DOS, he bought Tim Patterson's rip off of Gary Kildall's CP/M. So, when you have monied idolatry and hero worship in the tech sector with big dollar amounts being bandied about, a lot of people get the completely wrong idea that they can somehow earn a living at it, instead of realizing the true nature of greed and duplicity.
Apple has never demonstrated, to me at least, that they take reporting bugs through official channels with as much severity as exploits appearing in the wild. They are not alone in that, but I don't see this particular story as anything new or remarkable either. I could enumerate other bug bounty programs where the researchers were upset they did not get pay outs, or got significantly less than they expected as well. It is not unique to Apple, it is the nature of the beast.
Real villainy in the realms of computer security research is common place. Some of it, is extremely well funded. Typically, the better funded it is, the less likely that research will ever be disclosed to the upstream vendors to actually patch the bugs. To wit, since being released, Kevin Mitnick has come under some, IMHO, deserved scrutiny for offering his security evaluation services to companies who subsequently pocket the findings rather than disclose them to the vendors in which the vulnerabilities were found.
As contrasted with the likes of Crypto AG, or other COINTELPRO which is part and parcel with information warfare, Apple seems relatively benign. If anything, their stance seems pretty rooted in the reality that there were in excess of 100 Apple ][ clones back in the day (https://en.wikipedia.org/wiki/List_of_Apple_II_clones) and those early endeavors being copying and resold by other vendors in the market, I think gave Apple a pretty bad taste in their mouth early enough in their history that they considered that many "researchers" were adversarial and treated them accordingly.
That evaluation may still be entirely, 100% accurate, but to Apple's credit, they still at least seem to be attempting to "play ball" ethically in the here and now, whether by offering bug bounty programs to keep pace with some of their competitors, or in appealing the Corellium decision. I have it on good authority that Apple even paid SRI for use of the patents on Bill English's mouse invention way back when, and in subsequent years seemed to be pretty savvy with buying out other IP owners before adapting such technology for their own use (e.g. Apple bought Fingerworks, before they utilized the extensive IP Fingerworks had previously established in gesture driven UIs, which later went into iOS and the iPhone). A lot of other companies in this industry, never pay due diligence to prior art.
Anyway, will this change anything? Will additional pressure on Apple lead to anything great? I kind of doubt it, but as their cash reserves and market share have grown, more haters and vulnerabilities aimed their way will doubtlessly increase as well.
Having personally reported an observed bug in Apple's OpenSSH implementation, and reported it, and having had Apple subsequently closed it as a duplicate bug, and then only having seen it actually *fixed* two years later, with 0 attribution (either to me, or whomever apparently had previously reported it hence it being closed as a duplicate)? Yeah, that stings. Albeit, that was before they had a bug bounty program, so it wasn't as if it hurt materially. It was more: wow, it took you two years to patch that, and I wasn't even the first person to bring it to your attention? Geeze you rest on your laurels something awful!
Though I personally, could care less about bug bounty programs, which in my humble opinion negatively incentivize the field of research.
Full disclosure: I know Katie Moussouris personally. She and I do not see eye to eye on bug bounty programs. She advocates for such things, so seeing her outspoken here is also no surprise. In my personal opinion, I think bug bounties are like giving safe haven and sponsorship and potentially even ammunition to your sworn enemies, when you probably had a bunch of paying customers and maybe even some internal engineers already ringing alarm bells that were being ignored as the roof sprouts yet another leak.
Nonetheless, bug bounty programs do now exist in the industry, against all better judgement. Apple was late to implement such a thing, but many organizations which ship code used by swaths of users, still have nothing in such realms. IMHO, such organizations are better for it, but they probably also don't have hundreds of billions of dollars in cash as Apple does, and thus are not likely to be detracted for their lack of bug bounty programs by individuals who would choose to manipulate the market to their world view.
Maybe I should also mention that I am friends with a number of individuals who were part of MoAB (Month of Apple Bugs) wherein every day, for 30 days, a new Apple exploit was disclosed.
Albeit, that was not for monetary gain! That was also, long before Apple had a bug bounty program.
That was mostly to hammer home a point against Apple fans and Daring Fireball sorts of dip it.sh types who claimed that legitimate security researchers were not disclosing legitimate findings.
I don't recall if Daring Fireball ever issued an apology to Johnny Cache nor David Maynor, but I do recall that Apple issued a number of patches to address the exploits disclosed in MoAB.
If researchers are in this field to make money, they picked the wrong industry.
The billionaires in tech are more often than not, egregious robber barons, claiming spoils for others' creations. Bill Gates did not invent BASIC, he monetized it. Bill Gates did not write MS-DOS, he bought Tim Patterson's rip off of Gary Kildall's CP/M. So, when you have monied idolatry and hero worship in the tech sector with big dollar amounts being bandied about, a lot of people get the completely wrong idea that they can somehow earn a living at it, instead of realizing the true nature of greed and duplicity.
Apple has never demonstrated, to me at least, that they take reporting bugs through official channels with as much severity as exploits appearing in the wild. They are not alone in that, but I don't see this particular story as anything new or remarkable either. I could enumerate other bug bounty programs where the researchers were upset they did not get pay outs, or got significantly less than they expected as well. It is not unique to Apple, it is the nature of the beast.
Real villainy in the realms of computer security research is common place. Some of it, is extremely well funded. Typically, the better funded it is, the less likely that research will ever be disclosed to the upstream vendors to actually patch the bugs. To wit, since being released, Kevin Mitnick has come under some, IMHO, deserved scrutiny for offering his security evaluation services to companies who subsequently pocket the findings rather than disclose them to the vendors in which the vulnerabilities were found.
As contrasted with the likes of Crypto AG, or other COINTELPRO which is part and parcel with information warfare, Apple seems relatively benign. If anything, their stance seems pretty rooted in the reality that there were in excess of 100 Apple ][ clones back in the day (https://en.wikipedia.org/wiki/List_of_Apple_II_clones) and those early endeavors being copying and resold by other vendors in the market, I think gave Apple a pretty bad taste in their mouth early enough in their history that they considered that many "researchers" were adversarial and treated them accordingly.
That evaluation may still be entirely, 100% accurate, but to Apple's credit, they still at least seem to be attempting to "play ball" ethically in the here and now, whether by offering bug bounty programs to keep pace with some of their competitors, or in appealing the Corellium decision. I have it on good authority that Apple even paid SRI for use of the patents on Bill English's mouse invention way back when, and in subsequent years seemed to be pretty savvy with buying out other IP owners before adapting such technology for their own use (e.g. Apple bought Fingerworks, before they utilized the extensive IP Fingerworks had previously established in gesture driven UIs, which later went into iOS and the iPhone). A lot of other companies in this industry, never pay due diligence to prior art.
Anyway, will this change anything? Will additional pressure on Apple lead to anything great? I kind of doubt it, but as their cash reserves and market share have grown, more haters and vulnerabilities aimed their way will doubtlessly increase as well.
Last edited:
Oh heck no!
If I can find the bugs and Putin's Quality Hacks offers me twice as much AND pays on time ...
ka-ching!
Pay me in bitcoins baby!
It's not so simple at all. You've got security researchers who have honed a specialisation in finding security flaws in a particular Apple device on the basis of Apple bounties. Then they find that Apple isn't paying out as promised for everything they find. So they have a choice of throwing away years of highly specialised knowledge, or sticking with Apple's dishonest payments, or selling to other third party customers. As the article says, some are choosing the later.
I find it odd that these security researchers somehow believe that they are the CEO, CFO and ETC. That they should be able to override the directions and goals (produce development) of companies they do not own.
Apple offers a bug bounty program that's designed to pay security researchers for discovering and reporting critical bugs in Apple operating systems, but researchers are not happy with how it operates or Apple's payouts in comparison to other major tech companies, reports The Washington Post.
In interviews with more than two dozen security researchers, The Washington Post collected a number of complaints. Apple is slow to fix bugs, and doesn't always pay out what's owed.
Apple in 2020 paid out $3.7 million, about half of the $6.7 million that Google paid to researchers, and far less than the $13.6 million Microsoft paid. While other companies like Facebook, Microsoft, and Google highlight security researchers that find major bugs and hold conferences and provide resources to encourage a wide range of participants, Apple does not do so.
Security researchers said that Apple limits feedback on which bugs will receive a bounty, and former and current Apple employees said there's a "massive backlog" of bugs that have yet to be addressed.
Apple's reluctance to be more open with security researchers has discouraged some researchers from providing flaws to Apple, with those researchers instead selling them to customers like government agencies or companies that offer up hacking services.
Apple's Head of Security Engineering and Architecture, Ivan Krstić, told The Washington Post that Apple feels the program has been a success, and that Apple has doubled the amount that it paid in bug bounties in 2020 compared to 2019. Apple is, however, still working to scale the program, and will offer new rewards in the future.Luta Security founder Katie Moussouris told The Washington Post that Apple's poor reputation with the security community could in the future lead to "less secure products" and "more cost."
Apple's bug bounty program promises rewards ranging from $100,000 to $1,000,000, and Apple also provides some researchers with special iPhones dedicated to security research. These iPhones are less locked down than consumer devices and are designed to make it easier for security vulnerabilities and weaknesses to be unearthed.
Sam Curry, a security researcher that worked with Apple in 2020, said that he offered feedback to Apple and that he feels like the company is aware of how it's seen and "trying to move forward." According to The Washington Post, Apple this year hired a new leader for the bug bounty program, so it could soon see some improvements.
Article Link: Security Researchers Unhappy With Apple's Bug Bounty Program
So Microsoft pay out only 5x as much as Apple for 100x the number of exploits and 90% more customers.
Google pays only 2x and they provide, quite literally an OS designed to be manufacturer hackable.
Is it possible there isn't as many gaping security holes in MacOS/iOS as the other operating systems and they actually pay just as much and the others ?
Google pays only 2x and they provide, quite literally an OS designed to be manufacturer hackable.
Is it possible there isn't as many gaping security holes in MacOS/iOS as the other operating systems and they actually pay just as much and the others ?
I found a lock screen bypass bug and spoke with Apple engineers and they didn't pay out a damn thing. Probably because I'm not a "researcher" professionally. But I was able to demonstrate it physically happening with a screen recording a couple years ago. I thought about going to MacRumors with it but decided against it because 1. I didn't want someone to figure out how to exploit it in the wild and 2. I didn't want to potentially lose my opportunity to get paid. I should've just gone to MacRumors with it.
Just in case you guys don't believe me, here is a video I made back in autumn 2018 where I actually recorded everything and was even going to post it to the site: http://aduke.co/EeR9Qb
@jclo would love it if you made a big deal about this! I feel like I got screwed out of the bounty, but now that I know that others aren't getting paid what is owed, maybe we can form some kind of class action lawsuit? But here is a real world working example with proof that I had a Lock Screen bypass bug discovery and I worked with Apple on it. Here is my original post on it where I was vague in details: https://forums.macrumors.com/threads/12-1-major-exploit.2153520/
I have an email confirming Apple called me about this, with the chat log of me talking with the representative. This is all from November 8, 2018. Let me know if you need anything else from me if you want to make this a followup story. Otherwise I know Mark Gurman from when I worked at 9to5Mac so I may reach out to him at Bloomberg. Thanks.
Just in case you guys don't believe me, here is a video I made back in autumn 2018 where I actually recorded everything and was even going to post it to the site: http://aduke.co/EeR9Qb
@jclo would love it if you made a big deal about this! I feel like I got screwed out of the bounty, but now that I know that others aren't getting paid what is owed, maybe we can form some kind of class action lawsuit? But here is a real world working example with proof that I had a Lock Screen bypass bug discovery and I worked with Apple on it. Here is my original post on it where I was vague in details: https://forums.macrumors.com/threads/12-1-major-exploit.2153520/
I have an email confirming Apple called me about this, with the chat log of me talking with the representative. This is all from November 8, 2018. Let me know if you need anything else from me if you want to make this a followup story. Otherwise I know Mark Gurman from when I worked at 9to5Mac so I may reach out to him at Bloomberg. Thanks.
Wow, people get jumpy when you suggest they should be financially accountable for their performance... You do expect that someone can be fired for poor performance, right? If an engineer or team introduces too many security flaws into their code then that would be considered poor performance, right? So what's wrong with having a sliding scale between “we love you” and “you’re fired”— pay for performance.
You’d expect the best engineers to favor that model, wouldn’t you? You’ve never been fed up at a being dragged down as a team when you know full well who the problem is? I still remember the one where empty password boxes were being accepted by the OS-- if busting someone's chops for that bug meant losing some of the "brightest", then so be it.
No reason you need to start at the current pay level, if you merely want to account for the fact that an average engineer will always have bugs. Create a bonus pot that gets paid out to a researcher who finds a bug, or the team if none are found within a certain timeframe. The good teams with good engineers and processes get carrots, the teams without process or talent get sticks.
You might find engineering teams more willing to put up with more quality control if they know there's a pot of gold at the end of the flowchart.
Or they can choose to survive and f the company unwilling to acknowledge the issue. It’s not like apple don’t have the money to pay them big. Apple just don’t want to pay them, hence, Apple’s fault.
This. This 1000%.
It boils my piss to be honest… the Adobe comparison is warranted.
There are a couple of quirks that I still see happening several OSs later, dragged from Catalina to Big Sur and still expecting it on Monterey. I’ll have to start with a 100% clean state machine to see if I have just tainted it crap… but nevertheless AirPods Pro/Max still stutter at random times, pausing and resuming with a ~2 seconds no sound period (when it gets audio it’s a bit delayed also), sometimes clicking from one app window to another is met with a lag (64GB 2020 iMac here), or alt tabbing sometimes pops up another window from another application (usually safari) invading the focus of the selected one. To name a few.
Don’t get me wrong, these are really minor in the grand scheme of things, it works, I dread every time I have to visit windows… but goddamnit Apple, finish the damn job, polish it, I don’t care about that new fancy unfinished drag and drop-y thing if some key stuff still has rough corners!
Fair points, I would wager that those incentives would also motivate for devs to try their own dog food.
We have all been there, probably daily, at the “why the hell this thing is broken” and the task owner says “well, it works on my IDE debug safe mode isolated protected nothing can crash side, I had fixed it”. Not enough, build it, try it on device, make sure it works there THEN push the changes.
Damn! Since you have all these proofs, history and let’s call it “receipts” of the work, probably this is the best timing to right that wrong since these articles and news might make Apple go into damage control mode.