
Apple Confirms $1M Reward for Anyone Who Can Hack an iPhone - tareqak
https://www.forbes.com/sites/thomasbrewster/2019/08/08/apple-confirms-1-million-reward-for-hackers-who-find-serious-iphone-vulnerabilities/#7b31cc2d3948
======
tptacek
What Apple is doing here is really smart. An under-appreciated wrinkle is that
grey-market sales are valued on continuous access; you get paid over a period
of time, and if the bug you sold dies, you stop getting paid. Apple isn't just
bidding against the brokers and IC in lump-sum payments, but also encouraging
people to submit bugs early, before they're operationally valuable for bad
actors.

~~~
ChrisCinelli
Is not Apple's move mostly a PR stunt? Standard people will read "The iPhone
is so secure that Apple is willing to pays $1M for somebody that find a
security vulnerability."

The reality is that they only pay that much for bugs in the kernel that do not
require a user interaction.

Other bugs that use a common action on an app that everybody uses, for example
opening the stock mail application, may be enough in order to compromise
almost all iPhones. Apple seems to pay "only" $100k for those problems.

I just scanned through the comments and clicked on some links so correct me if
what I wrote is not accurate.

~~~
Rotdhizon
I'd imagine this is to combat marketplaces like zerodium and the deep web.
Traditionally grey hat hackers don't always go through bug bounty programs
because the pay is awful compared to what you can get through less ethical
sources. By flexing that much cash at bug hunters, they are potentially now
offering even more than what you could get on the mentioned markets. The only
reason people go underground to sell exploits is for the money. Take away that
variable and suddenly there's no reason to sell exploits to bad actors, just
sell them straight to the source at Apple and get a fat paycheck.

~~~
xkcd-sucks
On these marketplaces, how do people demonstrate PoC without giving away the
intellectual property? Or is it unproven and completely reputation based

~~~
shellcoder
Reputation plays a big part in it on both sides. Most buys are not Zerodium
and putting themselves out there as buyers. So, there is a certain degree of
vouching that happens as someone introduces a buyer to a seller.

So, when either party violates the agreement, it reflects poorly on that
person who made the introduction, making it harder for them to make those
connections in the future. And, these introductions matters, most sellers
don't want to just sell to anyone, there needs to be some trust that who
you're selling to will be selling it to friendly governments or whatever. Its
not like a craigslist ad where you sell to just anyone who answers.

So that acts as a deterrent on the buyer side. It'll be harder to get new
sellers if you have a poor, or no reputation.

On the seller side, you're not going to get too many people willing to vouch
for you as you start burning bridges by selling non-working exploits.

And on that, the payment scheme acts as a deterrent, like teh great-
grandparent said:

> grey-market sales are valued on continuous access; you get paid over a
> period of time, and if the bug you sold dies, you stop getting paid.

That is, you might get XX Thousand upfront, and then an agreed upon XXX
thousand based on the exploit surviving XX days.

So trying to scam the buyer will net you a small amount of the total at best,
but I mean, often times they'll hold payment until its confirmed and contracts
are written and signed over these sales too, its not under the table payments
or anything for the most part. Legitimate business transactions.

So, I guess to sum it up, reputation and a demonstrated, or atleast vouched
for past record. There is a lot of trust on both sides.

~~~
tptacek
What's interesting to me about this --- and I've got no firsthand knowledge of
the markets --- is that Apple doesn't have to outbid brokers; a broker could
offer 50% more than Apple, but that comes with an X% uncertainty penalty. You
can sell to Apple and pocket $1MM, or try to structure a deal for $1.5MM and
gamble that the bug will survive. I'm betting that's often not a good deal;
the lump sum payment is the better option.

~~~
shellcoder
I completely agree, it i an enticing offer from Apple for the reason you lay
out.

Not all brokers are alike though, exploit survival is a gamble, but sensible
end-buyers usually don't want to burn the exploits either so will use them
sensibly. There are some brokers that don't sell exclusively (despite their
claims), they have a reputation for exploits getting burned early.

I have not been involved with any iOS exploits, not really my area of
interest, but lets say I was. Would I consider selling it off to Apple, yeah,
it would be something to consider. I'd consider the market rates too of
course, 1MM vs 1.5MM, sure Apple is enticing, 1MM vs 2MM, maybe not. Not sure
where I would actually draw a line, but you are right that Apple doesn't need
to compete directly with the market rate, just close enough.

I'm sure there are those that would rather just go for the bigger profits
regardless.

------
devin
Apple salaries aren’t much of a secret, see: levels.fyi.

1M is a lot of money to me, a regular person, but when you consider that top
security engineering talent could be making north of 500k in total
compensation, 1M suddenly doesn’t seem all that impressive.

It’s a good bet to make on their risk. Imagine paying a mere 1M to avoid a
public fiasco where all of your users get owned.

This just seems like good business. They could make it 5M, and it would still
be worth it to them in the medium to long term.

~~~
H8crilA
I'm surprised by how cheap the vulnerabilities market is. A good exploit,
against a popular product like Chrome, selling for 100k or even $1M may sound
like a lot, but it's really pennies for any top software firm. And $1M is
still a lot for a vulnerability by market prices.

You can do so much damage/return with an exploit that affects > 30% of the
population. Get 5 of those and sky is the limit.

~~~
collyw
Out of interest how do you get to know the market price or the market in
general for this sort of thing?

If I were to discover a vulnerability is there a legal way I could cash in on
it (aside from this case with Apple)?

~~~
H8crilA
Some stuff on the internet:
[https://zerodium.com/program.html](https://zerodium.com/program.html)

Also I heard in person, so I cannot quote.

Not sure how legal this is, but there are even vulnerabilities brokers, who
set you up with buyers.

~~~
ChrisCinelli
Interesting... they do not seem to be interested to processors exploits.

~~~
H8crilA
Well it doesn't cost much to put it up there (among the list of things they
seek), now that we know it's feasible even against big players.

------
Despegar
>Forbes also revealed on Monday that Apple was to give bug bounty participants
"developer devices" \- iPhones that let hackers dive further into iOS. They
can, for instance, pause the processor to look at what's happening with data
in memory. Krstić confirmed the iOS Security Research Device program would be
by application only. It will arrive next year.

I wonder how they're going to manage this. I could easily see some less than
ethical researchers applying for this program and selling all the 0 days they
find to the usual suspects rather than informing Apple.

~~~
TheRealSteel
Isn't the idea of a bug bounty at this scale that the monetary reward
(especially combined with the lowered legal risk, but also when considered in
isolation) is higher from reporting it to the vendor than from selling it on
the black market? I.E. presumably Apple has done their research and one
million dollars is more than they believe you'd getting selling a zero day to
somebody else.

I don't work in the security field nor am I a business number cruncher, but
that was the gist I had of what these programs achieved.

Edit: see Despegar's reply, I should have RTFA! However worth pointing out
that there would be some incentive for researchers to go to Apple instead of a
third party, which might tip the scales in their favour.

~~~
Despegar
From the article:

>Previously, a company called Zerodium was vocal about how much it will pay
researchers, before handing them to its unknown government customers. In
January, the secretive company announced it was offering $2 million for a
remote hack of an iPhone.

So that's already more than what Apple offers. I tend to think they'll always
be outbid.

~~~
tptacek
I don't know many people here who believe Zerodium's price list, and while I
can't speak to Zerodium's payment terms, the norm appears to be tranched
payments, apparently ofter over a year; selling the same bug on the grey
market for "more" money (whatever it is brokers _actually_ pay) is a gamble
that the bug you've sold isn't going to die.

~~~
joshbetz
With those terms, they can buy a bug, report it to Apple, collect the $1m, and
be off the hook to pay out the remaining payments. It seems to me this makes
it much riskier to go to the black market than people here realize.

~~~
grugq
Yes, because that is exactly the sort of behavior that a business would engage
in. Screwing over their suppliers and demonstrating that they offer no value
whatsoever.

How would that make any sense? It is ludicrous.

~~~
Twisell
Would be a nice pivot for patent troll companies. In a world where profit is
king the question is not why, but when?

~~~
tptacek
A nice pivot for patent companies would be somehow generating the connections
and reputation to participate as brokers in this super-insular and highly
technical marketplace, and then burn all that work down to fuck over an
individual researcher for pocket change?

------
ChrisCinelli
For the naive guy that do not know how the trade of exploits really works and
keep hearing of "black markets," do you care to explain in realistic terms how
these things work?

Where are the trades happening? Is it the exploiter putting out something like
"kernel exploit for iOS xx.x" ? Or the exploiter bids on people offering
money? How is the seeker of exploits going to be sure that the exploit is
working? How do the people keep their anonimity? And how does the money is
exchanged? Crypto currencies? And how was it working before crypto?

Are governments bidding but they also want to convict the exploiter so they
get the exploit for free? I remember watching one or two movies where the
hacker was caught and was sentenced to jail. Government stepped in and said:
"You can either be in jail for n years or work with the good guys for n/2
years" Is it just science fiction?

~~~
grugq
It is not illegal to sell that type of software. It is not a black market, it
is a grey market.

There is no way you will ever hear authentic answers to your questions. The
only time anyone tried to explain that the resulting article backfired on the
interviewee. (Disclaimer, it was me)

Governments do not buy from developers. The paperwork would be insane. They
buy from businesses like Raytheon. How Raytheon gets them is opaque. But they
do employ hundreds of exploit developers. Read the r/netsec job postings and
notice how many require having a TS clearance. Every interesting job that says
“work on vulnerability discovery and exploit development” requires TS.

Governments generally speaking do not cheat on business deals where they want
to continue having access to that market. It is like stiffing the company that
sells you replacement parts for your government vehicles. You save money now,
but in the future your planes can’t fly and no one will do business with you.

All of this I explained during the interview, but the objective of the article
was not what I assumed it would be, which was to address the dynamics of how
the market works. I was naive to think that, but in my defense I was genuinely
shocked that people were unaware of the market (it has existed forever).
Literally everyone who is an infosec rockstar has been involved with exploit
sales [0]. Many still are because It allows them to work on what they enjoy —
bugs and exploits — and remunerates for their expertise. They get paid a
living wage to do what they want. Like any freelance developer. They are just
smart enough to keep their mouths shut.

I haven’t been involved with the market for almost a decade now but you’ll
still hear people saying shit like “how does it feel to sell weapons to
dictators??” (Even On here there are a number of such comments.) I can
truthfully answer that I have no idea. I only ever sold software to western
governments who had a hard on for terrorists.

I’m still angry about it, but I have no one but myself to blame. You can’t
unfuck the goat. C’est la vie. People want sensational stories about evil
people, they don’t want stories about the dynamics of a grey market software
industry. No one will ever speak about it again (lessons learned analysis!
Protip, don’t be the lesson others learn from).

The market has changed massively over the years. It is nothing like the one I
was involved in back then. However, as I said, no one will ever discuss it
again. They saw what happened and they won’t speak in public about it.

What was, is, and will continue to be, the legitimate sale of vulnerabilities
is now closed forever.

As a thought experiment, think of this. Let’s take it for granted that the IC
counter terrorist units and the legal authorities hunting for child abusers
are acting in good faith. That is, not every single person at NSA is desperate
to see what you are doing on the Internet (literally, you are noise obscuring
their signal). There are people who are going after child sex abusers, do you
want them to have the capability to exploit a web browser or do you want web
browsers to be safe tools for child abusers. This is not hypothetical [1].

There cannot be a discussion about a market where there is so much hysteria
about fringe cases of abuse. Rather than trying to find ways of mitigating
against abuse, the reaction has been to advocate for prohibition. Prohibition
does not work, it simply drives reputable operators out of the market.

The conversation about vulnerability sales has been as even handed and
rational as the conversation about marijuana in the 50s. Instead of marijuana
madness you get “the FBI can hack your computer!!” ...I guess the upside is
that at least this time the topic is not a proxy for racism [edit: I retract
that statement. Pretty much every rationalization about banning vulnerability
sales talks about African or Arabian buyers.]

And again, I have said too much. Try to explain something, get called a baby
killer. I’ll bet there will be accusations of enabling dictators to spy on
civil rights activists. To preempt the “you don’t know what happens after you
sell it!” I say simply this — the point of having a middleman to handle the
transaction is to ensure that you sell to the right end users. Exploit
developers don’t want to sell to dictators, they find someone who can get them
access to a market where their work will be used ethically. That can’t be said
for all, of course. The jailbreak community in particular is essentially a
vendor to the Chinese government.

But there you go. The most you’ll hear about it from someone that actually
knows what they’re talking about.

[edit: haha, see? It was brought up before I even posted a response! [2] There
is no accurate information. Literally every single paper on the topic cites
newspaper articles rather than academic research. This is actually unique. It
is the outlier case. Mara did a review of the literature and found that the
majority of citations were to articles, far in excess of other topics)

[0]
[https://www.econinfosec.org/archive/weis2007/papers/29.pdf](https://www.econinfosec.org/archive/weis2007/papers/29.pdf)
[PDF] — a paper from Charlie Miller talking about how difficult it was for him
to sell exploits without a trusted third party to act as an impartial party to
the sale. That TTP is called an “exploit broker” because that sounds far
scarier than “trusted third party.” Incidentally, this is the environment I
was operating in, and it was clear that no one involved in security considered
it abnormal.

[1]:
[https://www.wired.com/2014/01/tormail/](https://www.wired.com/2014/01/tormail/)
... look at the framing of the article. It is not “FBI screws up their
operation and mistakenly collects data that is irrelevant to their
investigation.” It is “if you used this secure email provider [hosted on the
same infrastructure as a massive child sex abuse web site] the FBI has _your_
inbox!!!!”

[2]
[https://news.ycombinator.com/item?id=20651348](https://news.ycombinator.com/item?id=20651348)
.. feel free to read the article and think what you like. Andy Greenberg is a
good journalist. I was an idiot. ¯\\_(ツ)_/¯

~~~
ChrisCinelli
> What was, is, and will continue to be, the legitimate sale of
> vulnerabilities is now closed forever.

So in past, present and future, the legitimate sale of vulnerabilities is now
closed forever. When was legitimate?

Are you saying that since it is not legit, exploits should never be sold? What
are you advocating for ?

~~~
donkeyd
I think (though I can't be sure), what they're trying to say is that it's
still legitimate, but it's opaque, because nobody wants to talk about it.
Because of that, it seems, to outsiders, like it's an evil black market, even
though many people involved in it, believe that they're doing the right thing.

~~~
grugq
Exactly so.

------
Geee
OT, but if you have showdead on, you can see beeschlenker's weird comment. It
seems that he hears "things" in his own security cameras, and also thinks he
is in a "Truman show" setup. Just a heads up if someone in the area could
possibly help him.

[https://www.gofundme.com/f/to-keep-brian-schlenker-
alive](https://www.gofundme.com/f/to-keep-brian-schlenker-alive)

~~~
awake
Can you contact gofundme. He probably needs help and some of these larger
companies have ways of informing local authorities if someone is at risk of
harming themselves or others.

~~~
Geee
I sent a report to GoFund.

------
m0dest
This is great. Every company should be responsible for paying market price for
security vulnerabilities in their own products. If you make something that
carries significant market value, you should be paying the security tax in the
form of a security team or bug bounties.

~~~
pkaye
So who will be responsible for all the open source software security
vulnerabilities?

~~~
sverhagen
End users. Integrators. Developers in terms of reputation. Thanks to
disclaimers not at all too different from closed source software.

------
an4rchy
Does anyone know if these types of bug bounties are negotiable?

As several people have mentioned, hackers can sell to the highest bidder and
having proof that you have an exploit is probably sufficient, but what if
Apple was willing to pay as much as the highest bidder?

This may also likely convince people who have sold bugs to reach out to Apple.

It probably costs them a fraction of the PR spend or risk of data breach/user
exposure etc.

~~~
jimmyjohndoe
The press release specifies that the $1000000 quoted figures are minimum
payments for the given category of bug, so the actual amount paid could be
anywhere upwards from that.

------
snazz
How feasible would it be to find bugs in the iPhone kernel’s network stack? I
imagine this is pretty battle-tested stuff, but it would tick all the boxes
for remote and no interaction.

Edit: Since it's XNU, and it's open-source, and it's been around for a really
long time, this seems unlikely. But if something was found in here, for
instance, everything would be practically compromised:
[https://github.com/apple/darwin-
xnu/blob/master/bsd/netinet/...](https://github.com/apple/darwin-
xnu/blob/master/bsd/netinet/ip_input.c)

~~~
saagarjha
Here's one in the Multipath TCP component: [https://cve.mitre.org/cgi-
bin/cvename.cgi?name=CVE-2018-4241](https://cve.mitre.org/cgi-
bin/cvename.cgi?name=CVE-2018-4241). I don't think this is remotely
exploitable, though.

------
tw1010
Why aren't Apple worried that this'll incentivise employees to leak insider
information to grey-hackers who'll share a cut of the reward?

~~~
knd775
I'm not sure how that would work. Apple isn't just sitting on exploits.

------
gabrielblack
I think it's a cheap offer. If you are a professional well introduced in the
business of selling 0days, for a gem like that, you can charge even a single
customer of the same amount. Indeed there are private companies offering even
more ([https://www.securityweek.com/zerodium-offers-2-million-
ios-h...](https://www.securityweek.com/zerodium-offers-2-million-ios-
hacks-1-million-chat-app-exploits) )! Ok, companies involved in this business
have some "safeguard" clauses in case the hole is discovered too soon (see for
example the Hacking Team e-mails), but you can sell this kind of vulnerability
practically to everyone. So the offer IMHO is a public relation move.

------
grugq
Unregulated markets are not black markets. They are grey markets.

------
webninja
This is fantastic news from Apple! I use an iPhone and I can sleep a little
better at night knowing that someone would now have to risk burning a
$1Million exploit if they wanted to hack me! I’m not worth near that much yet
so I’m probably not worth spending $1M on.

I remember the days of jailbreak-me.org when you could just visit that
website, your iDevice would be rooted, and Cydia would be installed on your
iDevice. You could install all sorts of tweaks, mods, and apps through Cydia.
I remember installing a Pandora tweak that gave unlimited skips, gave it a
black theme, and removed ads (because I was a poor student) and got freaked
out because if tweaks could modify apps like that, then they could probably
phish banking passwords. Anyone else remember those days?

------
axaxs
This is an area that's always been fascinating to me, but that I've never
dived into. I'm not overly interested in this particular program, just
exploits in general and perhaps examples of how and why they work. Anyone have
any resources that they've found useful?

~~~
kingaillas
There's a ton of info out there in various websites and blogs. I like the
RPISEC Modern Binary Exploitation class as a great introduction. The lectures
and materials (and a VM!) are on github:
[https://github.com/RPISEC/MBE](https://github.com/RPISEC/MBE)

~~~
pequalsnp
This is awesome. Thanks for the resource.

------
lobo_tuerto
1 million vs one or two sellings for 1.5m hmmm...

I think Apple could do better and has the resources to do so. Why not
incentivize enough so the people that profit from this kind of business don't
even have to ponder the decision?

------
throwaway42947g
Given I know "stuff" but compared to anybody who really "knows" I am a noob in
exploit engineering. I just know basic inner workings of a computer and a
little reverse engineering.

Would it even make sense for me to try? It seems like the probability I find
something, especially without user interaction, seems so far off that it would
be hard for me to find a constant motivation.

Imagine one year where I dedicate two days a week learning, understanding and
trying. Do I would have any chance at all to find something worth the $1M?

Thank you!

~~~
kdbg
> Imagine one year where I dedicate two days a week learning, understanding
> and trying. Do I would have any chance at all to find something worth the
> $1M?

Yes...but probably not the way you're thinking.

Most issues are discovered these days through fuzzing first. So there is
always a chance your fuzzer will find an issue worth $1M, its much less likely
that you'll realize its worth or be able to demonstrate and begin to weaponize
the exploit to prove its worth.

Lets rephrase the question a little bit though:

Instead of "Do I would have any chance at all to find something worth the
$1M?" lets ask "Would I have any chance of learning this level of exploit
development"

Two days a week, lets just round to 50 weeks a year, give you a bit of a break
during the year and say 100 days of effort.

So, in a 100 days would you have any chance of reaching the level of being
able to atleast write an iOS exploit, ignoring the discovery aspect?
Unfortunately, the answer is still no.

But, you would make some serious progress!

A modern iOS zero-click exploit isn't just one issue, in a worst-case (okay
there are worse than this, but this is a poor case) scenario you might need
the following issues

\- Memory Leak + Entry Point service exploit \- Sandbox Escape to low priv
user \- Privilege escalation to higher priv user \- Kernel memory leak +
Kernel exploit to finally get root privs

This even for someone with experience, going from fuzz result to exploit can
take months. So in a 100 days of spread out effort, you won't be doing that,
but you might be able to begin approach that first stage, a memory leak and an
exploit in a user-land service.

I do only say might because 100 days is a really short time when you think
about how technical your knowledge of this stuff needs to be, but I'd like to
think that with some real determination, in 100 days at least foundations of
modern software exploits should be approachable.

As for would it make sense for you to even try, the best time to start was 20
years ago, its been getting increasingly more difficult. The longer you wait
the higher the barrier to entry gets.

------
syn0byte
Given the "kernel" requirement coupled with the design of these devices in
general, any real non-interactive RCE will be claimed to not be "in the
kernel"... it was a Qualcomm or ARM binary blob not the kernel!, It was the
Baseband firmware not the kernel! It was libXYZ not the kernel! etc.

------
OrgNet
Can she claim it: [https://googleprojectzero.blogspot.com/2019/08/the-fully-
rem...](https://googleprojectzero.blogspot.com/2019/08/the-fully-remote-
attack-surface-of.html) ?

~~~
RKearney
From the article:

    
    
      > The full $1 million will go to researchers who can find a
      > hack of the kernel—the core of iOS—with zero clicks required
      > by the iPhone owner.
    

Which one of the vulnerabilities discovered met that criteria?

~~~
mauricioc
She has a list at
[https://twitter.com/natashenka/status/1155940732084973568](https://twitter.com/natashenka/status/1155940732084973568)
(recall that "remote, interaction-less" means "do not require any physical
interaction from the target to be exploited, and work in real time", according
to the Project Zero blog post).

Edit: As the posters below said, those aren't kernel bugs. Thanks for the
correction!

~~~
RKearney
I do not believe a springboard crash counts as a hack of the kernel.

------
m0zg
Didn't Google just publish an article where their researchers pwned iPhone 10
different ways? Now granted, those bugs are all patched now, but who's to say
they were the last ones?

------
MrXOR
Good news, but Zerodium is paying $2M (and probably $3M from tomorrow)

------
thehesiod
I'd like to see what what prevents double dipping, first report to unethical
places, wait a bit, then report to Apple.

~~~
mkl
I think that's why the amount is so high. If you sell it for less to bad guys,
someone else might find the same exploit (or a connected one) and swoop in and
claim the big amount from Apple, and you lose out.

------
Ice_cream_suit
NSO Group monetises iPhone vulnerabilities for a lot more than a million
dollars.

------
Applethief
So, the goverments will have to pay the hackers more, right?

------
HeavyStorm
Hasn't NSA already got that title?

------
llacb47
*$1M reward for highest vulnerability

------
amelius
Will this be the end of rooted iPhones?

~~~
saagarjha
This looks to _be_ a rooted iPhone.

~~~
amelius
Yes, but immediately patched by Apple. It seems to me that in the future you
simply can't own a rooted iPhone, because Apple put a $1M bounty on making
that impossible.

(If you don't see where this is going: after a while all the security holes
will be patched, and thus no more rooted iPhones.)

------
_annatar
what does IC stand for??

~~~
mzkply
Intelligence Community

~~~
_annatar
Thanks man, appreciated it. Now i can read the comments here with some context

------
ApplePRScam
not true false pr, they do this when there is a mass shooting to show there
phones are secure. ive contacted apple many times on hacks. mo response.
iphones are hackable i can show you

------
marthawither
Love the push Apple is doing for privacy.

------
ProAm
How about $1M for a working keyboard on a Macbook?

------
groundlogic
Just noting:

This isn't nearly enough money to stop North Korea, Israel, Russia, US, UK,
France etc. Pretty sure a zero-day would be 10-100x more valuable to them than
this $1 million reward. (Why is this even controversial?)

~~~
swarnie_
Cool... Go negotiate with one of those entities if you have a death wish. I'd
rather hand over to Apple, make a name for myself and get clean cash then deal
with the underbelly of the modern world.

------
jamisteven
"The full $1 million will go to researchers who can find a hack of the
kernel—the core of iOS—with zero clicks required by the iPhone owner. Another
$500,000 will be given to those who can find a “network attack requiring no
user interaction." Ehhh, whats the point in this exactly? Apple only considers
bugs to be significant if the penetration can happen without help from the end
user? Thats not how this works in the real world Apple.

~~~
XCabbage
Nothing wrong with this in itself. A zero-interaction attack - like being able
to get root on everyone who even walks past your WiFi hotstop with their phone
switched on, even if it's in their pocket not being used - IS more valuable
than one that requires user interaction, and it's quite right for rewards to
reflect that with higher rewards.

------
jdnenej
Soon apple will be paying $1M to anyone who can work out how to change the
battery.

------
known
Is this a marketing strategy aka
[https://en.wikipedia.org/wiki/Streisand_effect](https://en.wikipedia.org/wiki/Streisand_effect)
to counter Android [https://www.bloomberg.com/graphics/2019-android-global-
smart...](https://www.bloomberg.com/graphics/2019-android-global-smartphone-
growth/) or
[https://en.wikipedia.org/wiki/Illusory_superiority](https://en.wikipedia.org/wiki/Illusory_superiority)

------
3xblah
"Another $500,000 will be given to those who can find a "network attack
requiring no user interaction.""

The implication of this conditional reward is that interactive use presents
more/easier attack opportunities than non-interactive use. To clarify
terminology, it is arguable that "non-interactive" can be a synonym for
"automated" in this context.

Further, we might argue that canonical examples of "interactive" use are
clicks, drags, taps or swipes. In other words, the prevailing "UI" for many
users and the one promoted by many developers.

Now, if you agree these are fair statements then it is also arguable that from
the user's persepctive it could be useful to engage in non-
interactive/automated use not only for reasons of efficiency or convenience
but also for reasons of "security".

Finally, given these propositions, the question I ask is why website and app
users are continually faced with "terms and conditions" that seek to prohibit
non-interactive use. Interactive use benefits those running a website or app
server in at least one obvious and significant way: _more interaction means
more data to collect_. But if we accept the implication of this bug bounty it
also means greater risk to the user.

Regulators need to protect the user's right to use her computer, including a
"smartphone", in a non-interactive manner. This right is constantly under
attack (no pun intended) by those who are in the business of collecting user
data. Interactive use can result in less data privacy and more/easier attack
opportunities.

~~~
cortesoft
This seems backwards.... they are offering more money for attacks that don't
require user interaction because they are HARDER, not easier, to accomplish.

~~~
nemosaltat
Exactly. I seem to remember an app a while back that was billed as a heartbeat
reader and it would have you repeatedly press and release the fingerprint
sensor. After a delay it would flash some sort of in-app purchase
authorization. Pwnage that relies on some sort of user interaction is worth
50% less, and rightly so.

