top | item 28641932

(no title)

sseppola | 4 years ago

Best explanation I've heard was in Darknet Diaries about Zero Day Brokers, which was a fantastic listen! (https://open.spotify.com/episode/4vXyFtBk1IarDRAoXIWQFf?si=3...)

The short version is that if the bounties become too large they'll lose internal talent who can just quit to do the same thing outside the org. Another reason was that they can't offer competitive bounties for zero days because they'll be competing with nation states, effectively a bottomless bank, so price will always go up.

I don't know much about this topic, but surely there are some well structured bounty programs Apple could copy to find a happy middle ground to reward the white hats.

discuss

donatzsky|4 years ago

That explains the payout, but not the poor communication on the part of Apple.

shmatt|4 years ago

this is the real reason. not anything internal/culture related

A good iOS 0-day is worth hundreds of millions of dollars in contracts with shady governments. Apple can't compete with that multiple times a year

sangnoir|4 years ago

This doesn't compute: is the claim Apple badly manages its bug-bounty because 0-days are too valuable? If that's the case, I'd expect the opposite effect: Apple would recognize how valuable the reports being sent to them by white-hats are, and would react with a sense of urgency and gratitude. As it is, Apple is behaving as if 0-days are worth very little, and not a big priority.

heavyset_go|4 years ago

According to Zerodium, iOS exploits are cheaper than Android exploits because they are so plentiful in comparison.