Apple is dealing with COVID, just like everyone else. They are not at their best. However given the circumstances I think what they are doing (CSAM aside) is remarkably good.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Security Researchers Unhappy With Apple's Bug Bounty Program
- Thread starter MacRumors
- Start date
- Sort by reaction score
I long ago lost track of "but it worked just fine in Qual!" only to have it fail in Prod.
Another chink to the reality distortion field armor. If Apple cannot even have transparency on their regular security efforts, how trustworthy are they when they have a mass scanning system baked into iOS? Do people still think it's a good idea?
Any work I do certainly isn’t to the detriment of millions of people.
Clearly, you don’t have a problem with that so long as you get yours.
Can’t agree more. The board and the entirety of senior management more than likely is the culprit of such horrible decision.
Because bughunters are people, and they need to survive. Plus people can’t share the same integrity and values. Lots of other reasons too. Economic incentive is by far the strongest force to drive something forward, not some moral high ground bs, not public safety etc.
Are you even a licensed Engineer? It’s literally like Engineering Ethics and Law 101 back in university.
Bug is an inevitable part of software Engineering. Just like personale casualty is an inevitable part of a shooting war with a peer adversary.
Tort law is there, study it.
A very important part of enterprise building and Engineering practice is to make sure that you are not “blameable” or “personally liable”.
Just like every time you buy a plane ticket, you are paying dollars into the disaster recovery fund. That’s for if you crash and die, that pays for the PR and cost of liability.
Last edited:
Tort law? Are you suggesting it’s illegal to set up a financial structure to incentivize performance and encourage accountability for results?
When you say making sure you aren’t “blameable” is a very important part of engineering practice, you realize git literally has a blame command to determine who’s responsible for a bad line of code, right?
There is a difference between a bitch-slap and an aggravated assault.
There is a difference between a sibling fight and a trial by combat.
I think you know the difference between the two “blames” in context.
To be honest, I have no idea what you’re talking about here. Maybe you’ve misunderstood my point, or maybe you’re just very worried….
Seriously though, aggravated assault? Trial by combat? How bad is the code you’ve been writing??!
As I said my Engineering degree is in Electrical, so it’s not just software and computers. I also deal with big voltage applications. When I screw up, either in embedded software or in control systems, or in, let’s say transformer design, a lot of people will die. So, I’m much more risk adverse and we are held to a much higher ethical and legal standard than a typical consumer electronics software programmer. But the idea is the same, a mistake or oversight that’s not going to be considered a tort can still result in a national security catastrophe or other major public interest issues. You and your company may be sued separately for billions of dollars in compensation or fines. Child protection is a big one, and a very big and inconspicuous hole 🕳.
You want to make sure that everything you sign off as long as you are not being negligent by the official tort law definition, you are not liable, and it’s unforeseeable or act of god.
Software being used for military purposes in Iran or North Korea, etc. You are dead. All for a benign piece of code.
Haven’t you learnt in Engineering school? Protect yourself legally, or do nothing? Same with doctors.
And what does any of this have to do with my proposal that Apple pay engineers less if they create more bugs?
I just told you if they are hiring real engineers that are trained to think like one, no one would take up that kind of offers. For a boot camp WebDev? Yes, maybe, probably, not either.
Also, in aviation, a hobby of mine, commercial pilots are allowed to do a “no fault” go-around. If they decide to fly around after on track for a tricky or failed landing, they don’t have to explain this to anyone, why?
Last edited:
It kind of terrifies me that you’re saying “When I screw up […] a lot of people will die,” but don’t think maybe your bonus should be affected that year…
To each their own. Most of the truly excellent engineers I know prefer a system where competence is rewarded.
Quite the opposite. Apples arrogance will just lead to white hat hackers becoming black hat hackers. If apple is to cumbersome to communicate with or not willing to compensate for my time checking the quality of their software. People will go to those who are more enthusiastic and shows me appreciation for the work I did. And believe me it’s a sellers market.
it would be the equivalent of me pointing out to the government how you can hack or compromise the election, if nothing is done, bureaucracy comes in the way and makes it a real pain in the ass I will just give the information to the highest bidder who seems more interested. Will Lott a fire under their ass to patch it as well
I used to say that quality went downhill after Avie Tevanian left Apple. Things are mostly better now, but there are too many things that employees at Apple should see every day and be able to quantify and therefore, be able to be fixed. I wonder if people are too busy spending their money, commuting 3 hours to this area, or too high to care.
It’s even simpler! If you don’t like the way apple does it find critical flaws and sell them to nation state actors for far more money than apple is paying.
Pegasus was a “bad exploit” already and there are others, there are always others.
I think I read somewhere that Steve Jobs didn’t believe in hiring more than 100 developers for the company. He would rotate them to focus on different projects depending on the company’s priorities (putting them on the macOS project, shifting them to iPod, to iPhone, to Apple TV, to GarageBand, to other software projects, etc.).
I was always skeptical of this practice, and it’s kind of believable that this philosophy has perpetuated beyond Steve’s grave.
if there was a persistent iMovie team, GarageBand team, macOS team, but-patching team etc., and in tandem hiring as many people as necessary, then definitely the software quality would improve across the board.
I wonder how many software developers Microsoft have in comparison?
I was always skeptical of this practice, and it’s kind of believable that this philosophy has perpetuated beyond Steve’s grave.
if there was a persistent iMovie team, GarageBand team, macOS team, but-patching team etc., and in tandem hiring as many people as necessary, then definitely the software quality would improve across the board.
I wonder how many software developers Microsoft have in comparison?
Windows 10 was stable with update 1909 until a couple of recent updates. The good thing is that none of the updates ate my drive and forced me to recover my drives.
When I do my job, I operate as a licensed Professional Engineer vowed to fulfill "the Duty to Protect" under the "Code of Ethics",
- first to protect the public,
- second to protect the Engineering Profession,
- third to protect the employer
- fourth to protect self.
What we do our job, in terms of safety, has nothing to do with bonuses.
Bonuses are for creativity, innovation, patents, commission, and seniority.
I'm very impressed with your qualifications, the enormous responsibilities you have been entrusted with, and the apparent seriousness you apply to them. I'm sure your family is very proud. I still don't understand what this has to with the conversation at hand.
Let me break this down one step at a time. Are you saying your compensation should not be tied in any way to the quality of your work?
Extortion? There are people own used car lots in small towns who could afford Apples yearly bounty expenses. This attitude is why Cellebrite can unlock any iPhone and NSO group can remotely hack any iphone via iMessage. These are just some of the exploits we know about thanks to these bug bounty hunters.
It’s tied to my (commercial) performance, but not quality of my work. The quality of my (Engineering) work is regulated by the state, and the profession, but not the company, at least not directly.
When money is mixed in, it affects where “self” lays in the priority list previous to this comment.
In other words, my need for self-preservation can put the public at risk.