Apple Announces Bug Bounty At Black Hat With Maximum $200,000 Reward (threatpost.com) 39
msm1267 quotes a report from Threatpost: Apple closed out Black Hat today with a long-awaited announcement that next month it will launch a bug bounty. The Apple Security Bounty will be an invitation-only program, open to two dozen researchers at the outset, said Ivan Krstic, head of security engineering and architecture. The maximum payout is $200,000 and five classes of bugs in iOS and iCloud are in scope. Apple said the maximum reward will be $200,000 for vulnerabilities and proof-of-concept code in secure boot firmware components. It will also pay $100,000 for the extraction of confidential material protected by its Secure Enclave Processor, $50,000 for code execution flaws with kernel privileges or unauthorized access to iCloud account data on Apple servers, and $25,000 access from a sandboxed process to user data outside that sandbox.
Invitation-only (Score:4, Insightful)
I don't think Apple understands the concept of the bug bounty program. Making it invitation-only will not persuade those who find bugs and have not been invited from sharing the details of the bug with you.
Re: (Score:3)
Yep, they ought to let you in to the "invite" group if you find something and they didn't "invite" you. For feck's sake Apple. Oh, wait, that's the 3rd paragraph in TFA.
Seriously, this is how Apple do it - they start a small project off to get experience, then they roll it out. I can't see the problem here...
invitation only... $200,000 max (Score:5, Insightful)
In the meantime the uninvited enjoy much greater rewards exploiting the bugs
Re: (Score:3)
It's an iOS only thing. Doesn't include MacOS, WatchOS or TVOS.
I understand WatchOS and TVOS not being included, since they are, in large part, iOS; but not having a separate bounty for macOS seems kind of odd. Anyone care to elaborate on why that might be?
Re: (Score:3)
It's an iOS only thing. Doesn't include MacOS, WatchOS or TVOS.
I understand WatchOS and TVOS not being included, since they are, in large part, iOS; but not having a separate bounty for macOS seems kind of odd. Anyone care to elaborate on why that might be?
Well, ultimately all smallprintOS are just OS X [cue Steve Jobs at the introduction of the iPhone saying it will run OS X] with a (more or less) different UI-API suited to the device class they run on. And any bug found outside that UI will benefit the core OS X and thus all other smallprintOS.
Re: (Score:2)
iOS, WatchOS, and TVOS are all basically OS X under the hood except with a different GUI on top. Under the hood basically the same OS.
Re:invitation only... $200,000 max (Score:4, Insightful)
In the meantime the uninvited enjoy much greater rewards exploiting the bugs
So? You also make more money selling crack cocaine than burgers at McDonald's, bounties are so white hats can make a living for those who want to be legit security researchers. I really doubt there's many that flip-flop between white hat and black hat depending on who's the highest bidder.
Re: (Score:2)
There is nothing inherently illegal about buying or selling security exploits. The federal government relies on this market.
Remember the San Bernadino iPhone? The FBI paid 1 mil for a single use exploit. A one time payment of 200k is chump change when you could just sit on it and strike a deal with the feds of a dozen countries for its continuous use.
Yeah, you just have to hope that nobody else takes the $200k - or gives Apple the info for free.
Re: (Score:2)
You also make more money selling crack cocaine than burgers at McDonald's
Exactly, that's why crack is available, delivered to your doorstep (soon by drone) 24/7. McDonalds sales amount to ~25 billion per year. Cocaine ~88 billion. Contraband is a bigger part of the economy than people like to admit. And those McDonalds employees could use a little supplemental income.
If you want your bounties to work, you can't go around putting conditions on them. Most people are going to take the path of least resistance.
Re: (Score:2)
In the meantime the uninvited enjoy much greater rewards selling the bugs to the highest bidder
FTFY
Re: (Score:2)
In the meantime the uninvited enjoy much greater rewards selling the bugs to the highest bidder
FTFY
Of course no bug bounty program yet installed has prevented that from happening. At least not if the target was in any way interesting to bidders.
Funny (Score:2)
Re: (Score:1)
Yeah, except that blackhat is the corporate conference where suits who don't know what they're talking about go to. I tend to think defcon will probably be more in the blowing raspberries at it, mostly because of the "invite only" portion. It'd be a sound proposal if not for that one stupid thing.
Re: (Score:2)
Yeah, except that blackhat is the corporate conference where suits who don't know what they're talking about go to.
I recently heard a unix sysadmin describe defcon as "the one the kids and people who can't get a job go to". It works both ways.
Re: (Score:2)
I am sure the feds at BlackHat were happy. Are you sure the ones that mattered were happy and cheering?
Re: (Score:2)
I am sure the feds at BlackHat were happy. Are you sure the ones that mattered were happy and cheering?
You are confusing that with the cheers after that announcement: https://tech.slashdot.org/story/16/08/05/1455230/googles-open-yolo-project-will-remove-the-need-for-passwords-on-android [slashdot.org]
Bug bounty payoffs cheaper than Employees (Score:1)
Why not pay people to debug your code prior to selling that crap to others?
"We won't wait until it is done before selling or we would make no money, and we cannot keep it secret that long either. We won't hire people to make good code, because we only hire people that do what little they are told, as fast and buggy as they can, so we can sell some more crap faster and have the buyers fix it themselves for no to low pay. We won't pay for work, only end results that we choose. And getting crap out there quick