
Researcher Won't Disclose MacOS Keychain 0 Day Without Apple Bug Bounty Program - bellinom
https://threatpost.com/macos-zero-day-exposes-apple-keychain-passwords/141584/
======
RunawayGalaxy
I think that there's a point where negligence becomes culpable. Given that,
I'm considering 2 questions:

1) Suppose Apple sells potentially vulnerable software to users and knowingly
refuses to curb market demand for potential exploits to the benefit of their
bottom line. When a zero-day is discovered and sold to the highest bidder,
what percentage of the blame does Apple deserve?

2) How does that percentage change with respect to the following? (a)
potential number of users affected (b) cost of a bounty program as a
percentage of total profit from sale of the vulnerable software

------
username3
He’s not holding the vulnerability hostage. The bug bounty is not worth his
time to consult and report the vulnerability to Apple.

~~~
Someone
He doesn’t _have_ to do it, but not worth his time? Sending his code to
product-security@apple.com in whatever state it is shouldn’t take him more
than 10 minutes.

And yes, he may have spent millions in hours to find this issue, but that’s a
sunk cost now.

~~~
bcheung
Granting a license to software that a company has invested millions of dollars
in takes less than 10 minutes as well, but that doesn't mean they are
obligated to give it to anyone who might find it useful for free. Sunk cost is
an orthogonal issue.

It's reasonable to expect compensation for your work. Caveat that they don't
sell it to someone who will exploit it.

Building or acquiring something of value in the hopes of profiting from it
later is a fundamental part of life. It is why we go to school, invest in
machinery, develop products, do research, etc.

------
amanzi
Why doesn't Apple have a bug bounty program for macOS?

~~~
dvfjsdhgfv
Because someone at Apple decided to concentrate on the iPhone only. Their
behavior towards the general computing line has been quite consistent in the
last years, and I doubt it will ever change.

------
droithomme
When there's no bounty program, or the bounty program is unreliably
administrated, people have a right to sell their research to the highest
bidder, whomever that may be.

~~~
tccc
People deserve to be compensated for their work, however, to suggest selling
it to the highest bidder is completely unethical. If you undertake work
without a prior agreement to be paid for it, you can't go and hold the
security of the userbase hostage in demanding payment.

~~~
mdekkers
_selling it to the highest bidder is completely unethical_

Whilst I don't disagree with the sentiment, "ethics" doesn't appear to have
been any kind of motivator for business in general, ever. Look around you. How
much of our goods and services have been produced by people working for a wage
that is far below even the "living wage" threshold? What kind of life do these
people live? What is their standard of living? How many of these products
inflict extreme damage on the environment in some form, either directly or
indirectly through the fossil fuels used and CO2 released in their production?

I strongly feel that "ethics" should become an overriding factor in where we
are going as a species. But I don't agree that the place to start crying about
ethics is some guy that finds problems in the product of a company with an
insanely large cash reserve who's current "financial woes" are measured in "we
are making a few billion dollars profit per quarter less then expected"

Apple can cry me a fucking river. It is on them to produce quality and secure
products, instead of trying to squeeze every last cent of "cost reduction" out
of every last element of their supply chain to the detriment of their user
base. It isn't like they sell budget products, in almost all cases, Apple are
the most expensive option for getting anything done.

Bug bounty programs are nothing new, and can be an effective avenue to
increase the security and reliability of your products. It isn't like this guy
is asking for anything outlandish, and he doesn't owe anything to anyone.

------
vuln
I wonder which nation state will bid the most?

