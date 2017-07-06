Please create an account to participate in the Slashdot moderation system

 


Forgot your password?
Close
typodupeerror
Iphone Security The Almighty Buck

iPhone Bugs Are Too Valuable To Report To Apple (vice.com) 37

Posted by msmash from the big-dilemma dept.
An anonymous reader writes: Last year, Apple launched a long-awaited bug bounty program to reward friendly hackers who report flaws in the iPhone to the company. Despite inviting some of the best hackers in the world to join, it's a bit of a flop so far. The iPhone's security is so tight that it's hard to find any flaws at all, which leads to sky-high prices for bugs on the grey market. Researchers I spoke to are reluctant to report bugs both because they are so valuable and because reporting some bugs may actually prevent them from doing more research. "People can get more cash if they sell their bugs to others," said Nikias Bassen, a security researcher for the company Zimperium, and who joined Apple's program last year. "If you're just doing it for the money, you're not going to give [bugs] to Apple directly." Patrick Wardle, a former NSA hacker who now specializes in MacOS research and was invited to the Apple bug bounty program, agreed. He said that iOS bugs are "too valuable to report to Apple."

iPhone Bugs Are Too Valuable To Report To Apple More | Reply

iPhone Bugs Are Too Valuable To Report To Apple

Comments Filter:

  • So just increase the bounty... (Score:5, Insightful)

    by Anonymous Coward on Thursday July 06, 2017 @12:12PM (#54757191)

    Apple's pockets are a little deeper than most.

    They could surely increase the bounty to a point where no one could possibly compete with them.

    • Re: (Score:2)

      by Kergan ( 780543 )

      They might, but someone at Apple might also be thinking "no, they're actually full of shit and haven't found critical issues yet" until a zero day rears its ugly head. It's not like Apple could buy the stuff at an auction or something - or could they?

      • where the bug-exploit reveal is "cleaner" if it comes from a volunteer donor rather from a humanities grad student or homeless person who gets money from Plasma-R-Us?

      • They might, but someone at Apple might also be thinking "no, they're actually full of shit and haven't found critical issues yet"...

        Let's remember this is a reward program, not a ransomware scheme. Payment is rather dependent on disclosure and validation to vendor, so it's pretty easy to dismiss the full-of-shit concerns.

        And yes, Apple can easily afford to pay many times more than what they're offering. To your point, ignorance will likely ensure vendors find out the hard way what a proper reward should be.

      • It's not like Apple could buy the stuff at an auction or something - or could they?

        They indeed could buy them from the black market cyber-arms-dealers like anyone else, at highly inflated prices. Zerodium will sell to anyone.

    • Re:So just increase the bounty... (Score:5, Insightful)

      by jeremyp ( 130771 ) on Thursday July 06, 2017 @12:34PM (#54757395) Homepage Journal

      I don't think the economics will work.

      iOS bugs are presumably valuable because they allow you to exploit users for lots of $$$ and because they are rare. If Apple raises the bounty, then unfixed bugs will become even rarer and grey market prices will rise and you are back where you started.

      • Amway lit a fire once why not bring the hackers in with some sort of public rankings (updated monthly), secret conclaves in HI for the best 25 and all that bull
      • The amount of money you can exploit the users for is a constant. Let's say you can milk users out of 10$ for a bug, apple wants to pay you 2$ and grey market wants to pay 5$ (they have to make a profit, just like everyone else. If apple raises their pay out to 10$, then they remove any incentive to sell to a grey market. The Grey market value will remain unchanged as it's price is set based on how much you can milk out of users based on a bug.

  • Then Apple is not paying well enough (Score:3, Insightful)

    by Anonymous Coward on Thursday July 06, 2017 @12:12PM (#54757193)

    Then Apple is not paying well enough if the grey* market pays better.

    * NSA, FAPSI, 3PLA, etc

    • If they are rare then Apple will not have to pay for many of them, so the cost will not be huge. They ought to publicise when they have paid a bounty (and fixed the problem). Apple should then pay these bounties out of the marketing department budget, not software development. Their marketing department probably has a larger budget than development.

  • What's this grey stuff? (Score:1)

    by Anonymous Coward

    If you sell it to Apple, you are a white hat hacker and helping make the product better.
    But it cost's you 7 figures per bug to be a good guy or gal.

    If you sell at market rate, it isn't a grey market, it's a black market.
    You are not only preventing something from getting fixed, you are helping folks do bad things.
    But you get a bunch of cash.
    It ought to be illegal except that is is funded by the FBI etc.

    I don't see how it would hurt Apple to pay market rates, but folks should not get away with clean cash for

  • Someone willing to sell bugs to criminals if they pay better is greyhat at best.

    • Wouldn't call them gray either, they are black-hats 100% why call them gray? What good have they done? the bug they found will be exploited criminally. Now lol if they sold the bug to a criminals then turn around and sell it to apple then i would tag them gray.

  • The iPhone's security is so tight that it's hard to find any flaws at all

    Really? This sounds like corporate PR to me.

    I'd guess that it's more that there aren't as many skilled hackers trying to break iOS, than some intrinsic superiority of the OS.

    • Re: (Score:2)

      by mbkennel ( 97636 )
      There are plenty of iOS users who have money, there's plenty of motivation. There aren't as many hackers because it's not very rewarding. The OS and app infrastructure is more secure, and it limits application developers in cases.

    • You seem not to lnow much how an OS works, how its security works and particularily why iOs is that secure.
      Your post is pointless.

      It starts with 'skiled hackers trying to break', you watch to many bad movies about 'hacking'.

  • Semantics are important (Score:1)

    by Anonymous Coward

    That's black market, not grey, I think.

  • If I'm good and work for bug bounties on other projects I can get a sort of steady pay. If I work on iOS bugs I might not find a valuable one with 6 months of effort. You could raise the payout to a million dollars a bug but I can't work on it full time because I will never no if and when I will get the pay.

  • There is no good or acceptable reason to do anything with a vulnerability other than to first report it to the developer, and then release it to the public if they fail to patch it within an acceptable timeframe.

    Make no mistake, that market is as black as the devil's heart.

Slashdot Top Deals

When bad men combine, the good must associate; else they will fall one by one, an unpitied sacrifice in a contemptible struggle. - Edmund Burke

Close