Apple announces bug bounty program(techcrunch.com) |
Apple announces bug bounty program(techcrunch.com) |
And anyways, 200 grand is an astoundingly high ceiling for bug bounties; highest I've ever seen paid out was a "meager" 20k by Uber, and I thought that was a lot of money for a bug program at the time.
>However, Apple won’t turn away new researchers if they provide useful disclosures, and plans to slowly expand the program.
I'm reading this as: if you find a serious bug and report it, you'll get the money.
If you do good work and report it, you'll get paid accordingly.
No idea if that's right though.
Whoops. I just said "Steve Jobs never would've let this happen" line. Oh well.
They're letting in third-party keyboards another extensions, small additions to Siri, releasing actual software on android, it's not too surprising that they might be willing to do this now. Been very open on swift.
Apple Software has been suffering for awhile. And where software was involved, he certainly did call teams out for failures, but we also ended up with the path iTunes is on under his watch.
That said, I don't know now, but at a time, an email to Jobs did make things happen.
1. The exposure wasn't a "bug", so it's not worth a bug bounty.
2. The amount of effort it would take to start a bug bounty program would be far too cost prohibitive. In other words, "Everything's broken. We know it. If we start paying people to find what's broken, we'd go bankrupt." Heh.
So yeah. Don't be surprised.
- The effort required to find them
- The damage that can be inflicted on Apple in terms of brand goodwill and the subsequent loss of sales, e.g. The SEP implications for ApplePay
- The damage that can be inflicted on users and 3rd parties, e.g. imagine the amount of cash banks would be on the hook for if someone managed to say write a worm that used iMessage/SMS to propagate without user knowledge (e.g. with the recent TIFF vulnerability), and transfer funds from the user's bank account? Or made calls to the baseband to dial shady $10/minute premium rate numbers in some banana republic at 3AM every night?
- The amount of money TLAs and black market actors allegedly pay per the TC article.
- How much money Apple actually has, especially all the offshore cash that can't be repatriated to the US without incurring exorbitant capital gains. These bug bounties could be be remitted from any Apple subsidiary.
- Large bug bounties would de facto end jailbreaking
- Knowing Apple there would be endless NDAs and restrictive covenants before any payout is made.
IMO with all this considered the max payouts seem irrationally paltry.
The rest of them seem more than reasonable.
None of them are adequate compensation for the full-time work of someone who can find those kinds of bugs. Nor are they meant to be. If you can, for instance, find a bug that allows you to violate the integrity of the SEP, you have a market value as a consultant significantly higher than that $100k bug bounty --- which will become apparent pretty quickly after Apple publicly thanks you for submitting the bug, as they've promised to do.
When they go a year or two with no bugs found maybe you'll see them start upping the bid.
The program launches in September with five categories of risk and reward:
Vulnerabilities in secure boot firmware components: Up to $200,000
Vulnerabilities that allow extraction of confidential material from Secure Enclave: Up to $100,000
Executions of arbitrary or malicious code with kernel privileges: Up to $50,000
Access to iCloud account data on Apple servers: Up to $50,000
Access from a sandboxed process to user data outside the sandbox: Up to $20,000http://www.reuters.com/article/us-apple-encryption-idUSKCN0X...
While $200,000 is certainly a sizable reward — one of the
highest offered in corporate bug bounty programs — it won’t
beat the payouts researchers can earn from law enforcement or
the black market. The FBI reportedly paid nearly $1 million
for the exploit it used to break into an iPhone used by Syed
Farook, one of the individuals involved in the San Bernardino
shooting last December.
In an unusual twist, Apple plans to encourage researchers to
donate their earnings to charity. If Apple approves of a
researcher’s selected institution, it will match their donation —
so a $200,000 reward could turn into a $400,000 donation.https://www.zerodium.com/ios9.html
Ever notice, you never see Superman and Clark Kent in the same room? ;)
I don't think it's a "we have to do this to survive" situation, just a "this seems a good idea" situation.
I believe Apple has already been listening, not as bone head as many imagine. Its just they prioritize what is important and needs fixing first.
Either its an open program or a closed program.
A closed program that allows submissions from others is an open program.
What reasons what they have to do it this way? My first guess is to tick some checkbox.
If they had explicitly said that it was an open program, they would have had to scale up their efforts to support the entire world of vulnerability researchers, or risk disappointing people for not responding quickly enough.
Put another way - if you are not part of the invited group, and you submit an issue, but do so poorly, or without a clear Proof-of-Concept, and concise description, you can reasonably expect to hear no response from Apple, with no grounds to complain that they ignored you. But, at the same time, if you have a clear exploit, well documented, with impact and proof-of-concept, then their is still an avenue to submit it to Apple, but it's up to Apple to decide how they wish to prioritize.
Thanks, that does make a lot of sense.
My main exposure to bug bounty programs has been through the blog post of submitters, that don't give much insight to the resources/support that e.g. Apple would need to give.
Or it's something in between. Few things in life are or have to be binary -- that's a very CS mindset.
Apple wants to start it as closed, so they have full discretion as to what "others" they will accept (since they've already said they're not just accepting anybody).
This helps them build up their teams and infrastructure for it with the fewer, pre-selected, people, and gives them time to expand (or even evaluate if they need expanding to fully open anyway, perhaps a smaller/controlled list works well enough too).
At the same time, the "we might accept non-invited third parties" gives them the opportunity not to miss out on any important unexpected collaborators / bugs.
That's just my personal impression, though.
edit: autocorrect fix
>Apple said it decided to limit the scope of the program at the advice of other companies that have previously launched bounty programs.
Those companies said that if they were to do it again, they would start by inviting a small list of researchers to join, then gradually open it up over time, according to Apple.
Security analyst Rich Mogull said that limiting participation would save Apple from dealing with a deluge of "low-value" bug reports.
"Fully open programs can definitely take a lot of resources to manage," he said.
http://www.reuters.com/article/us-cyber-blackhat-apple-idUSK...
I'm sure there are a lot of security researchers who would like to dabble in dozens of companies products, without being told what they had to do every day, yet still be compensated.
So it effectively reduces to what you'd prefer: 0.6X for yourself, or 2X for a non-profit that you want to support.