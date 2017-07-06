iPhone Bugs Are Too Valuable To Report To Apple (vice.com) 28
An anonymous reader writes: Last year, Apple launched a long-awaited bug bounty program to reward friendly hackers who report flaws in the iPhone to the company. Despite inviting some of the best hackers in the world to join, it's a bit of a flop so far. The iPhone's security is so tight that it's hard to find any flaws at all, which leads to sky-high prices for bugs on the grey market. Researchers I spoke to are reluctant to report bugs both because they are so valuable and because reporting some bugs may actually prevent them from doing more research. "People can get more cash if they sell their bugs to others," said Nikias Bassen, a security researcher for the company Zimperium, and who joined Apple's program last year. "If you're just doing it for the money, you're not going to give [bugs] to Apple directly." Patrick Wardle, a former NSA hacker who now specializes in MacOS research and was invited to the Apple bug bounty program, agreed. He said that iOS bugs are "too valuable to report to Apple."
So just increase the bounty... (Score:5, Insightful)
Apple's pockets are a little deeper than most.
They could surely increase the bounty to a point where no one could possibly compete with them.
Re: (Score:2)
They might, but someone at Apple might also be thinking "no, they're actually full of shit and haven't found critical issues yet" until a zero day rears its ugly head. It's not like Apple could buy the stuff at an auction or something - or could they?
Is this like blood transfusions . . . (Score:2)
where the bug-exploit reveal is "cleaner" if it comes from a volunteer donor rather from a humanities grad student or homeless person who gets money from Plasma-R-Us?
There is always a solution: (Score:2)
Re: (Score:1)
Thus lowering the quality of the developers who work on iOS which increases the bug count.
No, I don't think a positive feedback loop is a good idea.
Re: (Score:2)
Then they quit and get replaced by cheaper developers that create more bugs.
Re:So just increase the bounty... (Score:5, Insightful)
I don't think the economics will work.
iOS bugs are presumably valuable because they allow you to exploit users for lots of $$$ and because they are rare. If Apple raises the bounty, then unfixed bugs will become even rarer and grey market prices will rise and you are back where you started.
Then Apple is not paying well enough (Score:2, Insightful)
Then Apple is not paying well enough if the grey* market pays better.
* NSA, FAPSI, 3PLA, etc
Don't call them researchers (Score:2)
Someone willing to sell bugs to criminals if they pay better is greyhat at best.
Re: (Score:2)
Too hard to find flaws? (Score:2)
The iPhone's security is so tight that it's hard to find any flaws at all
Really? This sounds like corporate PR to me.
I'd guess that it's more that there aren't as many skilled hackers trying to break iOS, than some intrinsic superiority of the OS.
Re: (Score:2)
Re: (Score:2)
You seem not to lnow much how an OS works, how its security works and particularily why iOs is that secure.
Your post is pointless.
It starts with 'skiled hackers trying to break', you watch to many bad movies about 'hacking'.
It's the risk not the pay (Score:2)