Hearing stories I'm pretty sure there is no modern day DevOps going on at Apple. That would at least flag several of these exploits.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Zerodium Temporarily Stops Purchasing iOS Exploits Due to High Number of Submissions
- Thread starter MacRumors
- Start date
- Sort by reaction score
Hearing stories I'm pretty sure there is no modern day DevOps going on at Apple. That would at least flag several of these exploits.
If Apple would finally have a real bug bounty program and the dev-fused iPhones they announced for security researchers more than a year ago but never rolled out this would provide an good alternative to the black market and people would just choose that.
That someone who's working months on finding security issues needs to get paid for their time spent on it makes sense, otherwise only companies like Google's Project Zero who can fund it will be able to do research on it.
Would you work on something for free for month just to improve the security of a billion dollar company?
[automerge]1589540036[/automerge]
Are you saying that security was better in the olden days where there was apparently no such "rush" to get code out the door? I'd highly doubt that, all the changes that were added to modern operating systems weren't there before and it was trivial to exploit any old software. It's quite the opposite really as even the programming languages used were way easier to get wrong where things nowadays are already more secure by default. It's just that the surface area is way larger now and there's a lot more incentives to gain access or exploit software than it was before. Software will never be flawless no matter how much testing there is, otherwise we wouldn't have things like satellites, rockets or Boing airplanes having issues with software.
[automerge]1589540084[/automerge]
Why would "DevOps" be in charge of security reviews?
It's like saying:
- Apple has made major contributions toward the fight of covid 19
- google sells you advertising.
The original post was some implied snark.
You are right, that my statement was snarky. What I wanted to exemplify was the fact, that currently Apple misses some important quality goals, that are fundamental to a leading tech company.
The way Apple works poses some real threats to their future success.
All companies miss these goals, including Microsoft, which was a point I made somewhere. If Microsoft can't get it right, no company can. Android isn't quite the bastion of safety and privacy either.
And what exactly do you base your opinion on? Apple commercials? Here we have a fact that clearly shows that your opinion is wrong.
The number of entries and the severity in the cve database of android vs iOS? That’s a fact, not an unsubstantiated story.
"Here are lists of Android vulnerabilities and iOS vulnerabilities from CVE Details. As of January 2017, iOS has had a total of 984 vulnerabilities whereas Android has had a total of 746." Source
Did you count up the reds, yellows and greens? It’s the severity, ease of infection and scope that counts. The last I looked android “won”.
Not to mention iOS 14 is JUST around the corner. Who’s gonna pay for exploits that could be worth nothing in a month or two?
Only small fraction of the code is changed from one release to another. Respectively, one should expect that only a small fraction of the vulnerabilities may be gone. Remember, these are the vulnerabilities that Apple does not know about (otherwise they would have fixed them already)
How do you know how much code was changed from one release to another? Especially a new version of ios. Your spitballing here. Correlation does not imply causation. Not only that Apple could know about some vulnerabilities but prioritize what it has to fix first. Additionally it's very easy, via public blogs, to see the vulnerabilities discovered that the company (any company) didn't know about and I posted one example of a zero-day related to Windows that somehow was not turned around in a day.
I am a software designer and I know software livecycle very well. It's you who are spitballing and trying to question obvious things. There are no public blogs about the vulnerabilities used by Zerodium. For obvious reasons they do not disclose this information. To learn about these vulnerabilities, Apple have to buy them, as many people here already suggested. Apple does not do it.
You’re spitballing because you don’t know apples internal workings. There are public blogs about the vulnerabilities after they are remediated so you know who found what. Microsoft et al credits the finder. These are the public blogs.
Last edited:
And we are talking about the vulnerabilities purchased and used by Zerodium. Some of them might be discovered by others and fixed but to say (as OP did) that Zerodium might have stopped buying iOS vulnerabilities a few months before the release of a new version is just an ignorant spitballing and an attempt to find an excuse for Apple. Did Zerodium stop buying iOS bugs before? No. Why? It's not like the next iOS release will be just a second release or a particularly special one. Besides, Android 11 will be revealed on June 3rd. Why did not Zerodium stop using Android vulnerabilities until then?
Nobody has any real facts of what’s behind it and there’s a lot of uniformed spitballing masquerading as facts.
Zerodium is still buying android vulnerabilities because the market share argument applies to bigger payloads, imo.
This tit for tat discussions can be spun any which way. (edited for clarity)
Last edited:
Yeah, that's what I was trying to say. Their bounties are pitiful compared to:
- How much they say they care about privacy and security
- How many customers they have
- How much money they have
- How much they charge for each product