Apple Pays Hackers Six Figures To Find Bugs in Its Software. Then It Sits On their Findings.

Lack of communication, confusion about payments and long delays have security researchers fed up with Apple's bug bounty program. The Washington Post: Hoping to discover hidden weaknesses, Apple for five years now has invited hackers to break into its services and its iconic phones and laptops, offering up to $1 million to learn of its most serious security flaws. [...] But many who are familiar with the program say Apple is slow to fix reported bugs and does not always pay hackers what they believe they're owed. Ultimately, they say, Apple's insular culture has hurt the program and created a blind spot on security. "It's a bug bounty program where the house always wins," said Katie Moussouris, CEO and founder of Luta Security, which worked with the Defense Department to set up its first bug bounty program. She said Apple's bad reputation in the security industry will lead to "less secure products for their customers and more cost down the line."

Apple said its program, launched in 2016, is a work in progress. Until 2019, the program was not officially opened to the public, although researchers say the program was never exclusive. [...] In interviews with more than two dozen security researchers, some of whom spoke on the condition of anonymity because of nondisclosure agreements, the approaches taken by Apple's rivals were held up for comparison. Facebook, Microsoft and Google publicize their programs and highlight security researchers who receive bounties in blog posts and leader boards. They hold conferences and provide resources to encourage a broad international audience to participate. And most of them pay more money each year than Apple, which is at times the world's most valuable company.

Microsoft paid $13.6 million in the 12-month period beginning July 2020. Google paid $6.7 million in 2020. Apple spent $3.7 million last year, Krstic said in his statement. He said that number is likely to increase this year. Payment amounts aren't the only measure of success, however. The best programs support open conversations between the hackers and the companies. Apple, already known for being tight-lipped, limits communication and feedback on why it chooses to pay or not pay for a bug, according to security researchers who have submitted bugs to the bounty program and a former employee who spoke on the condition of anonymity because of a nondisclosure agreement. Apple also has a massive backlog of bugs that it hasn't fixed, according to the former employee and a current employee, who also spoke on the condition of anonymity because of an NDA.

Re:

[Anonymous Coward]

It's fine. They're separate sentences for emphasis. Don't. Be. Such. A. Twat.

Re:

[BAReFO0t]

Because that's the length of a pause you would make there, when speaking it out loud.

Headlines don't have to be breathless.

The period isn't any special. It's just another sign for a pause of a certain length.

Broken button issue

[PeterGM]

Wonder if Apple ever got around to fixing the missing right mouse button, feels like it's been a while since that one was spotted.

Re:

[Nrrqshrr]

The one time "It ain't a bug, it's a feature" might work.

Re:

[BAReFO0t]

It's not a feature to force people to delay their action because you simulate a right mouse button with a delay.

Also, humans got five fingers. Putting any fewer than five buttons on it is a catastrophic design failure that even a child would be able to point out.
Always remember: Just because it's common, doesn't mean it's not insanity.

(I would prefer an updated DataHand Pro II with a built-in trackball, mounted vertically to the side of a chair, fingers down or with a nice wrist rest, to be frank. Anyone go

Re:

[tlhIngan]

It's not a feature to force people to delay their action because you simulate a right mouse button with a delay.

Also, humans got five fingers. Putting any fewer than five buttons on it is a catastrophic design failure that even a child would be able to point out.
Always remember: Just because it's common, doesn't mean it's not insanity.

Said like someone who never worked the helpdesk. Where "click the mouse button" is randomly a left click, a right click, or a middle click. And you'll spend the next half an h

Not a new problem

[arbiter1]

This isn't a new problem for Apple they always had this issue of taking forever to fix even smallest simple bugs in their software. I remember there was a huge flaw i think java one that effected windows side as well. Within 24h's of being public they had fix for windows side but took Apple 3 months to get around to pushing the fix on their side. As much as Apple prided it self on "security" it was security through obscurity. They had such a small market share that very few people were looking for flaws and

Re:

[ShanghaiBill]

Microsoft struggles with security because of its obsession with backward compatibility.

Apple is willing to throw legacy customers under the bus and do clean redesigns.

Re:

[NoMoreDupes]

Apple is willing to throw legacy customers under the bus and do clean redesigns.

"Redesigns*" that introduce.... a whole new set of (unfixed) bugs.

I lost track of how many new bugs got introduced over the years with new fancy-pants features that no one asked for (translucency, anyone?), while years-old bugs are still present today.

Seems Apple has no one doing QA over there - they're all "re/designing" new features instead.

(* 'redesigns' being mostly crap shoved down people's throats)

Sell your findings elsewhere

[registrations_suck]

Supply and demand.

Re:

[BAReFO0t]

Why not both?

You can always claim another "hacker" must've discovered it too, and you literally got $$$monies to prove that you warned them.
I mean finding a pseudonym on a Russian hacker board isn't really that hard. Access it via TOR, or your own personal TOR created from hacked Apple jewelry! ;)

Re: Sell your findings elsewhere

[registrations_suck]

I said "sell our findings elsewhere" not "sell them someone other than Apple."

"Sell your findings elsewhere" doesn't preclude selling them to Apple and anyone else who wants to pay....whatever the TOS of Apple's bug bounty program may be notwithstanding.

Re:

[kmoser]

Or just describe the symptoms of the bug, and demand--er, ask ask politely--that they pay you for the relevant details. No payment, no details.

Bug Bounty Program:

[hey!]

Apparently it's the corporate equivalent of a gym membership.

Isn't it obvious?

[BAReFO0t]

Apple is all about looks. Because it's a jewelry company.

It's the exact same thing as with their hardware: All show and crap substance.
Every Apple customer has a story to tell about a massive disappointment. (E.g. with a certain keyboard. Or if they ever had to meet a "genius".)
And that's not even counting what they would have said if they had looked inside.

So they pay a lot to look good a lot. Not to be good a lot.

Re:

[waspleg]

I'm going to take this to mean if they had looked inside themselves...

not surprising

[bloodhawk]

hardly surprising, Apples track record for security has been fucking awful for decades.

Not much of an expense?

[jenningsthecat]

Microsoft paid $13.6 million in the 12-month period beginning July 2020. Google paid $6.7 million in 2020. Apple spent $3.7 million last year...

When you consider the overall expenses, profits, and market valuations of the companies listed, even Microsoft's spending on bug bounties seems less than paltry. I would think there'd be a lot of value in having people from outside a company's culture / echo chamber enthusiastically chipping away at software - and possibly hardware - looking for vulnerabilities.

Are these companies really committed to making their products more secure? Or are bug bounties mostly security theatre, with any bugs actually discovered being at best a bonus - and at worst an inconvenience - for what might otherwise be called 'security washing'?

What?

[groobly]

What, you expect a big company to be efficient? Do not ascribe to conspiracy what can be explained by incompetence.