This is definitely a step in the right direction. They say they're worried that their bounties won't be enough to dissuade anyone only interested in money from disclosing vulnerabilities to malicious sources. Honestly I think that a lot of people who discover these vulnerabilities would rather be paid slightly less money by disclosing to Apple and have the rep/CV fodder of "I broke Apple" that comes with a responsible public disclosure, than going through secret channels to make slightly more money at the risk of potential legal trouble.
And anyways, 200 grand is an astoundingly high ceiling for bug bounties; highest I've ever seen paid out was a "meager" 20k by Uber, and I thought that was a lot of money for a bug program at the time.
Apple has slowly been opening up, they used to be such an incredibly secretive company under Jobs there's no way this would've ever happened.
Whoops. I just said "Steve Jobs never would've let this happen" line. Oh well.
They're letting in third-party keyboards another extensions, small additions to Siri, releasing actual software on android, it's not too surprising that they might be willing to do this now. Been very open on swift.
I had the.. pleasure.. of speaking to Comcast's CISO after doing a security risk exposure disclosure. Before talking to her, there were mentions of bug bounties, etc (neat). After talking to her, though, she said in a hand-wavy way that:
1. The exposure wasn't a "bug", so it's not worth a bug bounty.
2. The amount of effort it would take to start a bug bounty program would be far too cost prohibitive. In other words, "Everything's broken. We know it. If we start paying people to find what's broken, we'd go bankrupt." Heh.
I'm not familiar with the market but these seem low when you consider:
- The effort required to find them
- The damage that can be inflicted on Apple in terms of brand goodwill and the subsequent loss of sales, e.g. The SEP implications for ApplePay
- The damage that can be inflicted on users and 3rd parties, e.g. imagine the amount of cash banks would be on the hook for if someone managed to say write a worm that used iMessage/SMS to propagate without user knowledge (e.g. with the recent TIFF vulnerability), and transfer funds from the user's bank account? Or made calls to the baseband to dial shady $10/minute premium rate numbers in some banana republic at 3AM every night?
- The amount of money TLAs and black market actors allegedly pay per the TC article.
- How much money Apple actually has, especially all the offshore cash that can't be repatriated to the US without incurring exorbitant capital gains. These bug bounties could be be remitted from any Apple subsidiary.
- Large bug bounties would de facto end jailbreaking
- Knowing Apple there would be endless NDAs and restrictive covenants before any payout is made.
IMO with all this considered the max payouts seem irrationally paltry.
As tptacek loves to point out, the point of bug bounty programs is not to compete on price with the black market. And in fact, according to the article, the $200k Apple is offering is one of the highest for corporate bug bounty programs already.
No doubt there's going to be some low-hanging fruit (speaking relative to the experience of the participants) that is going to get scooped up quickly, so why would they open the program at something higher? Just high enough to entice the experts to pick off the "easy" ones seems the intelligent thing to do.
When they go a year or two with no bugs found maybe you'll see them start upping the bid.
I wonder if they are backfilling rewards to any of the external researchers who have been doing all of Apple's security research for the last decade. Just as an example, a single researcher from Google is credited with 11 separate vulnerabilities that would qualify for the $50k reward, in a single patchlevel of OS X (and the same person had five such credits in the patchlevel prior to that!). That's almost a million bucks worth of rewards in only half a year of disclosures.
Among the many reasons this is very unlikely to happen, the bounty values we see now account for the increased difficulty of finding these kinds of vulnerabilities in iOS since its earliest releases. This is an OS that was designed as a platform for secure applications --- that's part of the premise of apps on the Apple phone --- and it's gotten much harder to find and exploit vulnerabilities on the platform since that release.
The program launches in September with five categories of risk and reward:
Vulnerabilities in secure boot firmware components: Up to $200,000
Vulnerabilities that allow extraction of confidential material from Secure Enclave: Up to $100,000
Executions of arbitrary or malicious code with kernel privileges: Up to $50,000
Access to iCloud account data on Apple servers: Up to $50,000
Access from a sandboxed process to user data outside the sandbox: Up to $20,000
I've once found security bug on OS X/Mac (low chance of occuring, however gives complete access), reported complete steps to reproduce and solutions - received moreless copy-pasted response - two years, two OS X versions later - the bug is still there, even though it looks like 5 minutes fix...
While $200,000 is certainly a sizable reward — one of the
highest offered in corporate bug bounty programs — it won’t
beat the payouts researchers can earn from law enforcement or
the black market. The FBI reportedly paid nearly $1 million
for the exploit it used to break into an iPhone used by Syed
Farook, one of the individuals involved in the San Bernardino
shooting last December.
Interestingly, for altruistic / independently wealthy researchers there's an incentive to report to Apple:
In an unusual twist, Apple plans to encourage researchers to
donate their earnings to charity. If Apple approves of a
researcher’s selected institution, it will match their donation —
so a $200,000 reward could turn into a $400,000 donation.
Couldn't wait for YouTubers to make a video about this or you thought that your comment wouldn't make any difference in a sea of identical mindless comments?
Or if you prefer "thanks, after this I'm going to buy a Nexus 6p"?
joebergeron|9 years ago
And anyways, 200 grand is an astoundingly high ceiling for bug bounties; highest I've ever seen paid out was a "meager" 20k by Uber, and I thought that was a lot of money for a bug program at the time.
jtl999|9 years ago
(ie, https://twitter.com/i0n1c/status/761349794510036992)
Jerry2|9 years ago
>However, Apple won’t turn away new researchers if they provide useful disclosures, and plans to slowly expand the program.
I'm reading this as: if you find a serious bug and report it, you'll get the money.
hurricaneSlider|9 years ago
MBCook|9 years ago
Whoops. I just said "Steve Jobs never would've let this happen" line. Oh well.
They're letting in third-party keyboards another extensions, small additions to Siri, releasing actual software on android, it's not too surprising that they might be willing to do this now. Been very open on swift.
bpchaps|9 years ago
1. The exposure wasn't a "bug", so it's not worth a bug bounty.
2. The amount of effort it would take to start a bug bounty program would be far too cost prohibitive. In other words, "Everything's broken. We know it. If we start paying people to find what's broken, we'd go bankrupt." Heh.
So yeah. Don't be surprised.
mhurron|9 years ago
sjtgraham|9 years ago
- The effort required to find them
- The damage that can be inflicted on Apple in terms of brand goodwill and the subsequent loss of sales, e.g. The SEP implications for ApplePay
- The damage that can be inflicted on users and 3rd parties, e.g. imagine the amount of cash banks would be on the hook for if someone managed to say write a worm that used iMessage/SMS to propagate without user knowledge (e.g. with the recent TIFF vulnerability), and transfer funds from the user's bank account? Or made calls to the baseband to dial shady $10/minute premium rate numbers in some banana republic at 3AM every night?
- The amount of money TLAs and black market actors allegedly pay per the TC article.
- How much money Apple actually has, especially all the offshore cash that can't be repatriated to the US without incurring exorbitant capital gains. These bug bounties could be be remitted from any Apple subsidiary.
- Large bug bounties would de facto end jailbreaking
- Knowing Apple there would be endless NDAs and restrictive covenants before any payout is made.
IMO with all this considered the max payouts seem irrationally paltry.
eridius|9 years ago
dharmon|9 years ago
When they go a year or two with no bugs found maybe you'll see them start upping the bid.
frugalmail|9 years ago
[deleted]
honkhonkpants|9 years ago
eriknstr|9 years ago
tptacek|9 years ago
godzillabrennus|9 years ago
nikofeyn|9 years ago
nxzero|9 years ago
et-al|9 years ago
alfanick|9 years ago
yorwba|9 years ago
skizm|9 years ago
http://www.reuters.com/article/us-apple-encryption-idUSKCN0X...
biot|9 years ago
danjoc|9 years ago
https://www.zerodium.com/ios9.html
Ever notice, you never see Superman and Clark Kent in the same room? ;)
nxzero|9 years ago
pepijndevos|9 years ago
0xmohit|9 years ago
https://twitter.com/0xcharlie
zeusk|9 years ago
[deleted]
LeoPanthera|9 years ago
NEDM64|9 years ago
Or if you prefer "thanks, after this I'm going to buy a Nexus 6p"?
matmann2001|9 years ago
[deleted]
xufi|9 years ago
mikejmoffitt|9 years ago
[deleted]
jordache|9 years ago
amenghra|9 years ago
jrcii|9 years ago
hoodoof|9 years ago