
Apple announces bug bounty program - nos4A2
https://techcrunch.com/2016/08/04/apple-announces-long-awaited-bug-bounty-program/
======
joebergeron
This is definitely a step in the right direction. They say they're worried
that their bounties won't be enough to dissuade anyone only interested in
money from disclosing vulnerabilities to malicious sources. Honestly I think
that a lot of people who discover these vulnerabilities would rather be paid
slightly less money by disclosing to Apple and have the rep/CV fodder of "I
broke Apple" that comes with a responsible public disclosure, than going
through secret channels to make slightly more money at the risk of potential
legal trouble.

And anyways, 200 grand is an astoundingly high ceiling for bug bounties;
highest I've ever seen paid out was a "meager" 20k by Uber, and I thought that
was a lot of money for a bug program at the time.

------
jtl999
As mentioned the program is currently invite only currently

(ie,
[https://twitter.com/i0n1c/status/761349794510036992](https://twitter.com/i0n1c/status/761349794510036992))

~~~
Jerry2
From the article:

> _However, Apple won’t turn away new researchers if they provide useful
> disclosures, and plans to slowly expand the program._

I'm reading this as: if you find a serious bug and report it, you'll get the
money.

~~~
Godel_unicode
I haven't read the article, but I was at the announcement and your take is
exactly how it was clarified in the room.

If you do good work and report it, you'll get paid accordingly.

~~~
robzyb
That setup doesn't make any sense to me.

Either its an open program or a closed program.

A closed program that allows submissions from others is an open program.

What reasons what they have to do it this way? My first guess is to tick some
checkbox.

~~~
ghshephard
It's pretty straightforward. Apple wants to start off slow, with a small group
of people, and develop the quality of the program. By being explicitly closed,
but implicitly open, they can focus their energy on the invited researchers,
and ensure a high-level of support/response.

If they had explicitly said that it was an open program, they would have had
to scale up their efforts to support the entire world of vulnerability
researchers, or risk disappointing people for not responding quickly enough.

Put another way - if you are not part of the invited group, and you submit an
issue, but do so poorly, or without a clear Proof-of-Concept, and concise
description, you can reasonably expect to hear no response from Apple, with no
grounds to complain that they ignored you. But, at the same time, if you have
a clear exploit, well documented, with impact and proof-of-concept, then their
is still an avenue to submit it to Apple, but it's up to Apple to decide how
they wish to prioritize.

~~~
robzyb
> Put another way - if you are not part of the invited group, and you submit
> an issue, but do so poorly, or without a clear Proof-of-Concept, and concise
> description, you can reasonably expect to hear no response from Apple, with
> no grounds to complain that they ignored you. But, at the same time, if you
> have a clear exploit, well documented, with impact and proof-of-concept,
> then their is still an avenue to submit it to Apple, but it's up to Apple to
> decide how they wish to prioritize.

Thanks, that does make a lot of sense.

My main exposure to bug bounty programs has been through the blog post of
submitters, that don't give much insight to the resources/support that e.g.
Apple would need to give.

~~~
ghshephard
The actual effort is pretty minimal - 2-3 FTEs for a closed bounty program,
plus maybe another 15-20 FTEs or so to assist with triage once it's opened up
- total cost for Apple to set up a bug bounty is on the order of
$5million/year staffing. Its more the trying to scale up so you don't end up
annoying people by not being responsive - it takes time to hire the people and
train them.

------
hurricaneSlider
I'm a bit surprised, because you'd think that they'd have been doing this
already.

~~~
MBCook
Apple has slowly been opening up, they used to be such an incredibly secretive
company under Jobs there's no way this would've ever happened.

Whoops. I just said "Steve Jobs never would've let this happen" line. Oh well.

They're letting in third-party keyboards another extensions, small additions
to Siri, releasing actual software on android, it's not too surprising that
they might be willing to do this now. Been very open on swift.

~~~
jmspring
There was a time if you had issues with hardware, and email to Steve Jobs
actually resulted in a customer escalation. I had one of the 15" MBPs that had
the Nvidia chip issue, but never experienced that. But had 3 other problems --
all handled (first time for me with Mac hardware). A polite email on a friday
night after I did hit my 4th hardware issue, next trip to the apple store was
for a "in kind" based on purchase price replacement.

Apple Software has been suffering for awhile. And where software was involved,
he certainly did call teams out for failures, but we also ended up with the
path iTunes is on under his watch.

That said, I don't know now, but at a time, an email to Jobs did make things
happen.

~~~
ksec
They still do. I email Tim Cook on issues and got a few replies. Sometimes I
dont get a reply but a solution made to the problem months down the road.

I believe Apple has already been listening, not as bone head as many imagine.
Its just they prioritize what is important and needs fixing first.

------
sjtgraham
I'm not familiar with the market but these seem low when you consider:

\- The effort required to find them

\- The damage that can be inflicted on Apple in terms of brand goodwill and
the subsequent loss of sales, e.g. The SEP implications for ApplePay

\- The damage that can be inflicted on users and 3rd parties, e.g. imagine the
amount of cash banks would be on the hook for if someone managed to say write
a worm that used iMessage/SMS to propagate without user knowledge (e.g. with
the recent TIFF vulnerability), and transfer funds from the user's bank
account? Or made calls to the baseband to dial shady $10/minute premium rate
numbers in some banana republic at 3AM every night?

\- The amount of money TLAs and black market actors allegedly pay per the TC
article.

\- How much money Apple actually has, especially all the offshore cash that
can't be repatriated to the US without incurring exorbitant capital gains.
These bug bounties could be be remitted from any Apple subsidiary.

\- Large bug bounties would de facto end jailbreaking

\- Knowing Apple there would be endless NDAs and restrictive covenants before
any payout is made.

IMO with all this considered the max payouts seem irrationally paltry.

~~~
eridius
As tptacek loves to point out, the point of bug bounty programs is _not_ to
compete on price with the black market. And in fact, according to the article,
the $200k Apple is offering is one of the highest for corporate bug bounty
programs already.

~~~
tptacek
That $200k boot ROM bounty might be the single instance I know of where a
stated bounty value _might_ be lower than the actual market for the
vulnerability. If you were slick, you might make more from that bug than Apple
would pay with the bounty. That is a bug class with a current, existing,
liquid market.

The rest of them seem more than reasonable.

 _None of them_ are adequate compensation for the full-time work of someone
who can find those kinds of bugs. Nor are they meant to be. If you can, for
instance, find a bug that allows you to violate the integrity of the SEP, you
have a market value as a consultant significantly higher than that $100k bug
bounty --- which will become apparent pretty quickly after Apple publicly
thanks you for submitting the bug, as they've promised to do.

------
honkhonkpants
I wonder if they are backfilling rewards to any of the external researchers
who have been doing all of Apple's security research for the last decade. Just
as an example, a single researcher from Google is credited with 11 separate
vulnerabilities that would qualify for the $50k reward, in a single patchlevel
of OS X (and the same person had five such credits in the patchlevel prior to
that!). That's almost a million bucks worth of rewards in only half a year of
disclosures.

~~~
eriknstr
I don't think it would make economical sense for Apple to pay for something
that they already got for free.

~~~
honkhonkpants
Sure, but it would be a gesture of goodwill and a way of making amends for
years of freeloading.

~~~
nathanvanfleet
That guy did 10 more after the first freebie. Could it be that something else
was motivating him?

~~~
Godel_unicode
I believe the researcher in question works for project 0.

------
godzillabrennus
Next they need to offer a bounty program for usability issues. iOS needs a lot
of love since Forstall got squeezed out.

~~~
nikofeyn
iOS? what about mac os x? it's completely stagnated if not gotten worse from a
usability standpoint.

------
nxzero
Wonder if they'll include their servers too; appears they're only doing the
most recently released OS and hardware.

~~~
et-al
Towards the bottom of the article they note this:

    
    
      The program launches in September with five categories of risk and reward:
    
      Vulnerabilities in secure boot firmware components: Up to $200,000
      Vulnerabilities that allow extraction of confidential material from Secure Enclave: Up to $100,000
      Executions of arbitrary or malicious code with kernel privileges: Up to $50,000
      Access to iCloud account data on Apple servers: Up to $50,000
      Access from a sandboxed process to user data outside the sandbox: Up to $20,000

------
alfanick
I've once found security bug on OS X/Mac (low chance of occuring, however
gives complete access), reported complete steps to reproduce and solutions -
received moreless copy-pasted response - two years, two OS X versions later -
the bug is still there, even though it looks like 5 minutes fix...

~~~
yorwba
Report it again, take the bounty?

~~~
alfanick
the problem with current state of the bounty program is that it's invitation-
only (i'm no security researcher) and ios-centered :/

------
skizm
The question is will they pay $1,000,000 for an exploit that unlocks an
iphone?

[http://www.reuters.com/article/us-apple-encryption-
idUSKCN0X...](http://www.reuters.com/article/us-apple-encryption-
idUSKCN0XQ032)

~~~
biot
The article already addresses this:

    
    
      While $200,000 is certainly a sizable reward — one of the
      highest offered in corporate bug bounty programs — it won’t
      beat the payouts researchers can earn from law enforcement or
      the black market. The FBI reportedly paid nearly $1 million
      for the exploit it used to break into an iPhone used by Syed
      Farook, one of the individuals involved in the San Bernardino
      shooting last December.
    

Interestingly, for altruistic / independently wealthy researchers there's an
incentive to report to Apple:

    
    
      In an unusual twist, Apple plans to encourage researchers to
      donate their earnings to charity. If Apple approves of a
      researcher’s selected institution, it will match their donation —
      so a $200,000 reward could turn into a $400,000 donation.

~~~
et-al
Smart move. That's not too shabby of a tax deduction.

~~~
paulcole
I don't understand how the deduction from giving X to a researcher and X to a
charity is smarter than just giving X to the researcher?

~~~
NhanH
Tax deduction for the researcher, not Apple (note the original GP was about
"altruistic / independently wealthy researchers").

~~~
mkagenius
Hows donation of X for tax savings is better than 0.6X income?

~~~
0xmohit
It is meant to encourage donations to non-profits which is something pretty
good that corporates could do.

So it effectively reduces to what you'd prefer: 0.6X for yourself, or 2X for a
non-profit that you want to support.

------
pepijndevos
Am I reading it correctly that this is only iOS, and not other Apple software?

------
0xmohit
Charlie Miller must be happy.

[https://twitter.com/0xcharlie](https://twitter.com/0xcharlie)

------
jordache
how about you fix bugs that are already well known, like how the sd reader
dies after a while in el cap?

~~~
amenghra
That has nothing to do with security.

------
jrcii
Finally, I'm going to be rich!

------
hoodoof
I wish Apple would just fix the myriad ordinary bugs, let alone focus on
security.

