Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Security Researchers Unhappy With Apple's Bug Bounty Program

WoodpeckerBaby said:
It’s tied to my (commercial) performance, but not quality of my work. The quality of my (Engineering) work is regulated by the state, and the profession, but not the company, at least not directly.

When money is mixed in, it affects where “self” lays in the priority list previous to this comment.

In other words, my need for self-preservation can put the public at risk.
Click to expand...

So your salary comes from a lookup table in some government spreadsheet without discretion? You have no performance reviews? If you changed employers, you would be payed exactly the same amount?

How exactly does the state and the profession regulate the quality of your work?
 
Analog Kid said:
So your salary comes from a lookup table in some government spreadsheet without discretion? You have no performance reviews? If you changed employers, you would be payed exactly the same amount?

How exactly does the state and the profession regulate the quality of your work?
Click to expand...

By passing inspections and conforming to, e.g., IEC standards. The guideline of Engineering quality and design target are almost always outlined in the contract.

My salaries will not change regardless. If I'm asked to design an aircraft control system to withstand two simultaneous sensor falures, I would not design for 3, and I would not design for 1. It's easy to check if my work is good. Just unplug one, blow up the second, then freeze the third, and see if the system can recover in each case. If it conforms to the "design specifications" then it's golden. If it doesn't, I get busted, and I would have to go back and check what the hell happened there. The project may get delayed and I may get fired, replaced, demoted, or have my qualifications investigated. It's also possible that the failure is a reasonable Engineering calibration step and I don't get anything against me. But, my salaries before the HR change will not be reduced regardless.

If the aircraft is crashed after 10 years, assume an FAA investigation found that the control system I designed was the cause. Now
  1. If it's due to design specification, i.e., should've asked for designing for 3 simultaneous failure, then sorry, not my problem. Ask whoever made the specifications.
  2. If it's due to maintenance, sorry not my problem
  3. If it's due to my design, e.g., not accounting for component degradation or input drift over time, then, it will be reviewed by the regulators, and a few other Professional Engineers will be appointed to review the case and see that a reasonably competent Engineer would have accounted for this in design, then I would be prosecuted by the regulators. Such as license suspension, etc. But, I wouldn't get fined or anything financially related. The company would be "vicariously liable" for my tort/negligence and will be made to compensate. I may be suited by the client concurrently and separately, which is where Professional Liability insurance comes in. Salary though, still the same. Promotion though, unlikely.
  4. If it's my design and it's deemed that a reasonably competent Engineer would likely also make this mistake, then it's not a tort. I wouldn't be liable for anything. In practice, the bar is fairly low. If you are competent and do your work carefully, anything that goes wrong is usually not foreseeable.
I hope that makes sense.
 
Last edited:
WoodpeckerBaby said:
I may get fired, replaced, demoted, or have my qualifications investigated
Click to expand...

Ok so, as I'd expect, "self-preservation" is a motivator. Getting fired, replaced, demoted, or losing your license would all have financial implications among others. You didn’t answer my question, but I’m guessing that better engineers in your firm are more likely to get larger increases and are more likely to be promoted, as they are in most firms without severe issues of corruption.

I see from another thread that you also claim an economics degree, so you should understand the importance of incentives in economic decision making. When you pay more for something (quality) you get more of that thing.


Now move this out of your world and put it into Apple’s. I’d guess the number of licensed PEs working on their software is between few and none. The regulators in this case are the security researchers. Unit and regression testing, field and beta testing are roughly the equivalent of your “unplug one, blow up the second, freeze the third” testing. Failing inspection and field failures have similar consequences.

When you say tying your pay to the quality of your work would put “self” above the public, how does the economist in you explain that? Quality in this case means less failure, failures that you claim will kill lots of people. Quality is in the public interest, and tying your pay to the quality of your work means quality is in your interest as well.

When you say “bugs happen”, you’re disincetivising quality control in favor of other priorities. When you pay bug bounties, you are incentivizing researchers to find bugs but not incentivizing your engineers to avoid them. If you make the financially incentivize the arms race between developers and researchers then you’re leveraging competition and providing balanced incentives for prevention and detection.
 
Analog Kid said:
Ok so, as I'd expect, "self-preservation" is a motivator. Getting fired, replaced, demoted, or losing your license would all have financial implications among others. You didn’t answer my question, but I’m guessing that better engineers in your firm are more likely to get larger increases and are more likely to be promoted, as they are in most firms without severe issues of corruption.

I see from another thread that you also claim an economics degree, so you should understand the importance of incentives in economic decision making. When you pay more for something (quality) you get more of that thing.


Now move this out of your world and put it into Apple’s. I’d guess the number of licensed PEs working on their software is between few and none. The regulators in this case are the security researchers. Unit and regression testing, field and beta testing are roughly the equivalent of your “unplug one, blow up the second, freeze the third” testing. Failing inspection and field failures have similar consequences.

When you say tying your pay to the quality of your work would put “self” above the public, how does the economist in you explain that? Quality in this case means less failure, failures that you claim will kill lots of people. Quality is in the public interest, and tying your pay to the quality of your work means quality is in your interest as well.

When you say “bugs happen”, you’re disincetivising quality control in favor of other priorities. When you pay bug bounties, you are incentivizing researchers to find bugs but not incentivizing your engineers to avoid them. If you make the financially incentivize the arms race between developers and researchers then you’re leveraging competition and providing balanced incentives for prevention and detection.
Click to expand...
For “self”, this is because I may choose to hide issues that may be problematic later but would definitely pass inspection and the warranty period for the firm to get paid in full, and my salary too. After the cutoff, I don’t care. Let it burn.

In Microeconomics, there is a concept of “money corrupts”. When you reward people’s altruistic behaviours, people cease to be altruistic. It’s kind of an insult, really. For example, paying people who donate blood, people stop donating or giving altogether. This is called ”Market Failure”.
 
Last edited:
WoodpeckerBaby said:
For “self”, this is because I may choose to hide issues that may be problematic later but would definitely pass inspection and the warranty period for the firm to get paid in full, and my salary too. After the cutoff, I don’t care. Let it burn.

In Macroeconomics, there is a concept of “money corrupts”. When you reward people’s altruistic behaviours, people cease to be altruistic. It’s kind of an insult, really. For example, paying people who donate blood, people stop donating or giving altogether.
Click to expand...

You are already in that situation— you don’t want to lose your job, or your license.

Employment is not an altruistic behavior.
 
Analog Kid said:
You are already in that situation— you don’t want to lose your job, or your license.

Employment is not an altruistic behavior.
Click to expand...
No?

I would correct or raise concerns for a potential issue if I am not going to be penalized for doing so.

You see, I kept trying to make the distinction between employment and Engineering practice for a reason. They are mutually independent of each other. If there is a conflict, I am supposed to follow what‘s mandated by the profession, not my employer. Protecting the public is altruistic.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back