from Hacker News

Apple announces bug bounty program

by nos4A2 on 8/4/16, 11:36 PM with 92 comments

  • by joebergeron on 8/5/16, 1:05 PM

    This is definitely a step in the right direction. They say they're worried that their bounties won't be enough to dissuade anyone only interested in money from disclosing vulnerabilities to malicious sources. Honestly I think that a lot of people who discover these vulnerabilities would rather be paid slightly less money by disclosing to Apple and have the rep/CV fodder of "I broke Apple" that comes with a responsible public disclosure, than going through secret channels to make slightly more money at the risk of potential legal trouble.

    And anyways, 200 grand is an astoundingly high ceiling for bug bounties; highest I've ever seen paid out was a "meager" 20k by Uber, and I thought that was a lot of money for a bug program at the time.

  • by jtl999 on 8/4/16, 11:58 PM

    As mentioned the program is currently invite only currently

    (ie, https://twitter.com/i0n1c/status/761349794510036992)

  • by hurricaneSlider on 8/4/16, 11:57 PM

    I'm a bit surprised, because you'd think that they'd have been doing this already.

  • by sjtgraham on 8/5/16, 12:50 AM

    I'm not familiar with the market but these seem low when you consider:

    - The effort required to find them

    - The damage that can be inflicted on Apple in terms of brand goodwill and the subsequent loss of sales, e.g. The SEP implications for ApplePay

    - The damage that can be inflicted on users and 3rd parties, e.g. imagine the amount of cash banks would be on the hook for if someone managed to say write a worm that used iMessage/SMS to propagate without user knowledge (e.g. with the recent TIFF vulnerability), and transfer funds from the user's bank account? Or made calls to the baseband to dial shady $10/minute premium rate numbers in some banana republic at 3AM every night?

    - The amount of money TLAs and black market actors allegedly pay per the TC article.

    - How much money Apple actually has, especially all the offshore cash that can't be repatriated to the US without incurring exorbitant capital gains. These bug bounties could be be remitted from any Apple subsidiary.

    - Large bug bounties would de facto end jailbreaking

    - Knowing Apple there would be endless NDAs and restrictive covenants before any payout is made.

    IMO with all this considered the max payouts seem irrationally paltry.

  • by honkhonkpants on 8/5/16, 2:21 AM

    I wonder if they are backfilling rewards to any of the external researchers who have been doing all of Apple's security research for the last decade. Just as an example, a single researcher from Google is credited with 11 separate vulnerabilities that would qualify for the $50k reward, in a single patchlevel of OS X (and the same person had five such credits in the patchlevel prior to that!). That's almost a million bucks worth of rewards in only half a year of disclosures.

  • by godzillabrennus on 8/5/16, 2:56 AM

    Next they need to offer a bounty program for usability issues. iOS needs a lot of love since Forstall got squeezed out.

  • by nxzero on 8/5/16, 12:32 AM

    Wonder if they'll include their servers too; appears they're only doing the most recently released OS and hardware.

  • by alfanick on 8/5/16, 3:40 PM

    I've once found security bug on OS X/Mac (low chance of occuring, however gives complete access), reported complete steps to reproduce and solutions - received moreless copy-pasted response - two years, two OS X versions later - the bug is still there, even though it looks like 5 minutes fix...

  • by skizm on 8/5/16, 12:33 AM

    The question is will they pay $1,000,000 for an exploit that unlocks an iphone?

    http://www.reuters.com/article/us-apple-encryption-idUSKCN0X...

  • by pepijndevos on 8/5/16, 2:09 PM

    Am I reading it correctly that this is only iOS, and not other Apple software?

  • by 0xmohit on 8/5/16, 1:48 AM

    Charlie Miller must be happy.

    https://twitter.com/0xcharlie

  • by jordache on 8/5/16, 3:39 AM

    how about you fix bugs that are already well known, like how the sd reader dies after a while in el cap?

  • by jrcii on 8/5/16, 1:20 AM

    Finally, I'm going to be rich!

  • by hoodoof on 8/5/16, 12:27 AM

    I wish Apple would just fix the myriad ordinary bugs, let alone focus on security.