Hacker News new | past | comments | ask | show | jobs | submit login
Apple announces bug bounty program (techcrunch.com)
344 points by nos4A2 on Aug 4, 2016 | hide | past | web | favorite | 92 comments

This is definitely a step in the right direction. They say they're worried that their bounties won't be enough to dissuade anyone only interested in money from disclosing vulnerabilities to malicious sources. Honestly I think that a lot of people who discover these vulnerabilities would rather be paid slightly less money by disclosing to Apple and have the rep/CV fodder of "I broke Apple" that comes with a responsible public disclosure, than going through secret channels to make slightly more money at the risk of potential legal trouble.

And anyways, 200 grand is an astoundingly high ceiling for bug bounties; highest I've ever seen paid out was a "meager" 20k by Uber, and I thought that was a lot of money for a bug program at the time.

As mentioned the program is currently invite only currently

(ie, https://twitter.com/i0n1c/status/761349794510036992)

From the article:

>However, Apple won’t turn away new researchers if they provide useful disclosures, and plans to slowly expand the program.

I'm reading this as: if you find a serious bug and report it, you'll get the money.

I haven't read the article, but I was at the announcement and your take is exactly how it was clarified in the room.

If you do good work and report it, you'll get paid accordingly.

That setup doesn't make any sense to me.

Either its an open program or a closed program.

A closed program that allows submissions from others is an open program.

What reasons what they have to do it this way? My first guess is to tick some checkbox.

It's pretty straightforward. Apple wants to start off slow, with a small group of people, and develop the quality of the program. By being explicitly closed, but implicitly open, they can focus their energy on the invited researchers, and ensure a high-level of support/response.

If they had explicitly said that it was an open program, they would have had to scale up their efforts to support the entire world of vulnerability researchers, or risk disappointing people for not responding quickly enough.

Put another way - if you are not part of the invited group, and you submit an issue, but do so poorly, or without a clear Proof-of-Concept, and concise description, you can reasonably expect to hear no response from Apple, with no grounds to complain that they ignored you. But, at the same time, if you have a clear exploit, well documented, with impact and proof-of-concept, then their is still an avenue to submit it to Apple, but it's up to Apple to decide how they wish to prioritize.

> Put another way - if you are not part of the invited group, and you submit an issue, but do so poorly, or without a clear Proof-of-Concept, and concise description, you can reasonably expect to hear no response from Apple, with no grounds to complain that they ignored you. But, at the same time, if you have a clear exploit, well documented, with impact and proof-of-concept, then their is still an avenue to submit it to Apple, but it's up to Apple to decide how they wish to prioritize.

Thanks, that does make a lot of sense.

My main exposure to bug bounty programs has been through the blog post of submitters, that don't give much insight to the resources/support that e.g. Apple would need to give.

The actual effort is pretty minimal - 2-3 FTEs for a closed bounty program, plus maybe another 15-20 FTEs or so to assist with triage once it's opened up - total cost for Apple to set up a bug bounty is on the order of $5million/year staffing. Its more the trying to scale up so you don't end up annoying people by not being responsive - it takes time to hire the people and train them.

>That setup doesn't make any sense to me. Either its an open program or a closed program.

Or it's something in between. Few things in life are or have to be binary -- that's a very CS mindset.

Apple wants to start it as closed, so they have full discretion as to what "others" they will accept (since they've already said they're not just accepting anybody).

This helps them build up their teams and infrastructure for it with the fewer, pre-selected, people, and gives them time to expand (or even evaluate if they need expanding to fully open anyway, perhaps a smaller/controlled list works well enough too).

At the same time, the "we might accept non-invited third parties" gives them the opportunity not to miss out on any important unexpected collaborators / bugs.

I read that as: if you find a bug and report it, you may get invited into the formal bug bounty program (but may not get a payout on the first one).

No idea if that's right though.

The Reuters report has some details about why they limited it:

>Apple said it decided to limit the scope of the program at the advice of other companies that have previously launched bounty programs.

Those companies said that if they were to do it again, they would start by inviting a small list of researchers to join, then gradually open it up over time, according to Apple.

Security analyst Rich Mogull said that limiting participation would save Apple from dealing with a deluge of "low-value" bug reports.

"Fully open programs can definitely take a lot of resources to manage," he said.


True, but it's not like Apple doesn't have the resources to manage an open submission program.

They may have financial resources but I doubt their security engineers would want to deal with the deluge.

It's not about throwing money or people at a problem, it's the overhead that lowers its efficiency and agility.

Maybe they want to invest cautiously. Seems smart to me.

Then it seems like a job to me, if it is, then they should pay a salary.

If it was a salaried job you would have to sign a Non-Disclosure, assign all intellectual property rights to Apple, ensure that you have good work attendance, be responsive to what your manager tells you to do, etc, etc...

I'm sure there are a lot of security researchers who would like to dabble in dozens of companies products, without being told what they had to do every day, yet still be compensated.

I imagine if you find a good bug and aren't on their list, you could bring in someone who is to help out...

... Or Apple could just be like every other bug bounty and pay out regardless of if you're on a white list or not.

Someone's always willing to pay.

It just might be in bitcoin on some .onion site :)

I'm a bit surprised, because you'd think that they'd have been doing this already.

Apple has slowly been opening up, they used to be such an incredibly secretive company under Jobs there's no way this would've ever happened.

Whoops. I just said "Steve Jobs never would've let this happen" line. Oh well.

They're letting in third-party keyboards another extensions, small additions to Siri, releasing actual software on android, it's not too surprising that they might be willing to do this now. Been very open on swift.

There was a time if you had issues with hardware, and email to Steve Jobs actually resulted in a customer escalation. I had one of the 15" MBPs that had the Nvidia chip issue, but never experienced that. But had 3 other problems -- all handled (first time for me with Mac hardware). A polite email on a friday night after I did hit my 4th hardware issue, next trip to the apple store was for a "in kind" based on purchase price replacement.

Apple Software has been suffering for awhile. And where software was involved, he certainly did call teams out for failures, but we also ended up with the path iTunes is on under his watch.

That said, I don't know now, but at a time, an email to Jobs did make things happen.


Just trying to understand: do people begin off by writing to Tim Cook or do they use the usual channels and then end up writing to Tim?

They still do. I email Tim Cook on issues and got a few replies. Sometimes I dont get a reply but a solution made to the problem months down the road.

I believe Apple has already been listening, not as bone head as many imagine. Its just they prioritize what is important and needs fixing first.

Just for the sake of discussion: Are they opening up because they need to do this to survive? And they need to do this to survive because their products aren't as good as they used to be and they can't live in an enclosed environment?

My guess is management just sees it as a sensible way forward. Lot of value from engaging more with outside world. (See also: Swift.) Previous management was a bit more secretive, the culture is changing under the new boss.

I don't think it's a "we have to do this to survive" situation, just a "this seems a good idea" situation.

I had the.. pleasure.. of speaking to Comcast's CISO after doing a security risk exposure disclosure. Before talking to her, there were mentions of bug bounties, etc (neat). After talking to her, though, she said in a hand-wavy way that:

1. The exposure wasn't a "bug", so it's not worth a bug bounty.

2. The amount of effort it would take to start a bug bounty program would be far too cost prohibitive. In other words, "Everything's broken. We know it. If we start paying people to find what's broken, we'd go bankrupt." Heh.

So yeah. Don't be surprised.

That is Comcast's reasoning, not Apple's. As the article notes, it's the opposite problem: Apple's internal team is running out of vulns to find.

Well this guy has a bunch of ideas on how they can improve ;) https://twitter.com/i0n1c

Problem is - that's such an easy thing to say, whether it's true or false. For a device that's owned by millions, it's pretty grandiose of them to think that their internal team is all it takes. There's so much an internal team can do, so having an outside "team" is significantly better - even if it's just for a different view from a different vantage point. So, good on apple for doing this, but I'm questioning their past decisions. In particular their poor use of "they ran out of things to find" is worth discussing. The way this article is worded, their stance sounds incredibly naive, where a, "We don't have the same breadth as the infosec research community, and we would like to work with them." response might have been more appropriate.

That's just my personal impression, though.

edit: autocorrect fix

I think it's more like Apple is patient and waits to get things right. Bug bounty programs are relatively new (past few years). The article notes that Apple faced a more complicated landscape than your typical company, one where state actors are bidders. So they needed to craft a more targeted program.

This seems like a pretty generic reason that doesn't explain that much. Are state actors not bidders on gmail, android, facebook, firefox, chrome?

What's the going rate for an Android vuln? The FBI paid ~$1M for an iOS one. Android has a lot more malware, unpatched old installs, etc., and there are myriad ways to attack email and web accounts, so my guess is the marketplace for iOS is on a whole different level.

I suspect for large companies most bug bounty programs are net economic positives, especially weighed against cost of probable breaches or the comparable spend required on in-house engineering to find all the bugs otherwise cheaply and quickly identified by the bounty. The problem is social/political for senior executives to accept that discussion of flaws in the open is a good thing.

The popularity of bug bounty programs is pretty new. Apple is often behind on things that seem to be obvious to everyone else.

I'm not familiar with the market but these seem low when you consider:

- The effort required to find them

- The damage that can be inflicted on Apple in terms of brand goodwill and the subsequent loss of sales, e.g. The SEP implications for ApplePay

- The damage that can be inflicted on users and 3rd parties, e.g. imagine the amount of cash banks would be on the hook for if someone managed to say write a worm that used iMessage/SMS to propagate without user knowledge (e.g. with the recent TIFF vulnerability), and transfer funds from the user's bank account? Or made calls to the baseband to dial shady $10/minute premium rate numbers in some banana republic at 3AM every night?

- The amount of money TLAs and black market actors allegedly pay per the TC article.

- How much money Apple actually has, especially all the offshore cash that can't be repatriated to the US without incurring exorbitant capital gains. These bug bounties could be be remitted from any Apple subsidiary.

- Large bug bounties would de facto end jailbreaking

- Knowing Apple there would be endless NDAs and restrictive covenants before any payout is made.

IMO with all this considered the max payouts seem irrationally paltry.

As tptacek loves to point out, the point of bug bounty programs is not to compete on price with the black market. And in fact, according to the article, the $200k Apple is offering is one of the highest for corporate bug bounty programs already.

That $200k boot ROM bounty might be the single instance I know of where a stated bounty value might be lower than the actual market for the vulnerability. If you were slick, you might make more from that bug than Apple would pay with the bounty. That is a bug class with a current, existing, liquid market.

The rest of them seem more than reasonable.

None of them are adequate compensation for the full-time work of someone who can find those kinds of bugs. Nor are they meant to be. If you can, for instance, find a bug that allows you to violate the integrity of the SEP, you have a market value as a consultant significantly higher than that $100k bug bounty --- which will become apparent pretty quickly after Apple publicly thanks you for submitting the bug, as they've promised to do.

No doubt there's going to be some low-hanging fruit (speaking relative to the experience of the participants) that is going to get scooped up quickly, so why would they open the program at something higher? Just high enough to entice the experts to pick off the "easy" ones seems the intelligent thing to do.

When they go a year or two with no bugs found maybe you'll see them start upping the bid.

I wonder if they are backfilling rewards to any of the external researchers who have been doing all of Apple's security research for the last decade. Just as an example, a single researcher from Google is credited with 11 separate vulnerabilities that would qualify for the $50k reward, in a single patchlevel of OS X (and the same person had five such credits in the patchlevel prior to that!). That's almost a million bucks worth of rewards in only half a year of disclosures.

I don't think it would make economical sense for Apple to pay for something that they already got for free.

Sure, but it would be a gesture of goodwill and a way of making amends for years of freeloading.

That guy did 10 more after the first freebie. Could it be that something else was motivating him?

I believe the researcher in question works for project 0.

Among the many reasons this is very unlikely to happen, the bounty values we see now account for the increased difficulty of finding these kinds of vulnerabilities in iOS since its earliest releases. This is an OS that was designed as a platform for secure applications --- that's part of the premise of apps on the Apple phone --- and it's gotten much harder to find and exploit vulnerabilities on the platform since that release.

Next they need to offer a bounty program for usability issues. iOS needs a lot of love since Forstall got squeezed out.

iOS? what about mac os x? it's completely stagnated if not gotten worse from a usability standpoint.

Wonder if they'll include their servers too; appears they're only doing the most recently released OS and hardware.

Towards the bottom of the article they note this:

  The program launches in September with five categories of risk and reward:

  Vulnerabilities in secure boot firmware components: Up to $200,000
  Vulnerabilities that allow extraction of confidential material from Secure Enclave: Up to $100,000
  Executions of arbitrary or malicious code with kernel privileges: Up to $50,000
  Access to iCloud account data on Apple servers: Up to $50,000
  Access from a sandboxed process to user data outside the sandbox: Up to $20,000

I've once found security bug on OS X/Mac (low chance of occuring, however gives complete access), reported complete steps to reproduce and solutions - received moreless copy-pasted response - two years, two OS X versions later - the bug is still there, even though it looks like 5 minutes fix...

Report it again, take the bounty?

the problem with current state of the bounty program is that it's invitation-only (i'm no security researcher) and ios-centered :/

The question is will they pay $1,000,000 for an exploit that unlocks an iphone?


The article already addresses this:

  While $200,000 is certainly a sizable reward — one of the
  highest offered in corporate bug bounty programs — it won’t
  beat the payouts researchers can earn from law enforcement or
  the black market. The FBI reportedly paid nearly $1 million
  for the exploit it used to break into an iPhone used by Syed
  Farook, one of the individuals involved in the San Bernardino
  shooting last December.
Interestingly, for altruistic / independently wealthy researchers there's an incentive to report to Apple:

  In an unusual twist, Apple plans to encourage researchers to
  donate their earnings to charity. If Apple approves of a
  researcher’s selected institution, it will match their donation —
  so a $200,000 reward could turn into a $400,000 donation.

Smart move. That's not too shabby of a tax deduction.

I don't understand how the deduction from giving X to a researcher and X to a charity is smarter than just giving X to the researcher?

Tax deduction for the researcher, not Apple (note the original GP was about "altruistic / independently wealthy researchers").

Hows donation of X for tax savings is better than 0.6X income?

It is meant to encourage donations to non-profits which is something pretty good that corporates could do.

So it effectively reduces to what you'd prefer: 0.6X for yourself, or 2X for a non-profit that you want to support.

Yea, I was just kidding. Also, selling the exploit to Apple is more of a guarantee than waiting around to see if the government needs it (assuming you want to stay legal).

Odd. That's right around the same price zerodium is willing to pay.


Ever notice, you never see Superman and Clark Kent in the same room? ;)

$200k appears to be the maximum payout.

Am I reading it correctly that this is only iOS, and not other Apple software?

Charlie Miller must be happy.



Getting sick of the Apple-bashing. Sad to see it has reached HN, I thought it was bad enough on Reddit.

It's not just Reddit. Look at MacRumors, they are absolutely furious with Apple right now:


Well in fairness that is a pretty stupid marketing plan. Seems like they are trying too hard to come up with pseudo-deep punchlines.

You know that's not Apple but some advertising company, right?

Ad agencies usually present their plans to the client for approval before filming, and present the film to the client for approval before broadcasting.

It's not like this got broadcast without Apple's marketing team's sign off.

Sure, but this is not the same as a core product Apple makes...

I've seen much apple and microsoft bashing here. Google, not as much.

I don't know why. Personally, I've got devices running the spectrum of OSs and they all have their strengths and weaknesses.

Pretty sure it's been here the entire three years I have.


How is this relevant to discussion. This shit ruins the site. At least provide any content to your comment.

Complaining about a poke at Apple is irrelevant. That's what derailed the thing, not the original comment.

"Someone got offended" is the problem here. Not the alleged offender.

> they deserve all the bashing they are getting

How is this content? It's not even a jab, because they didn't say anything about Apple.

Seems pretty simple to me:

There was a joke. It was at least tangentially related to the article at hand. Then someone got offended and made the very first irrelevant comment here. He could have just let it slide, but no.

More irrelevant comments were made in response to the first irrelevant comment. Yours included. I really don't think people care to read about your opinion on what ruins the site here.

Does it really matter? Are we going to continue talking about this or just let the vote buttons do the talking?

I bet you don't want to just let my comment hang here and you'll want to say something else that is completely not relevant to the article, but you're going to have to in order to stop this madness!

That's the struggle that every HN commenter must deal with.

You're not supposed to talk about your downvote (or upvote) and just do the voting. If you can't downvote yet, just leave it up to someone who can. Another strategy is to upvote sibling comments so they go higher than the comment that you hate. If it's really irrelevant it will die. But it's difficult, as you can see. So that's where mods come in.

Downvotes don't change anything. Only pointing out problems improves discussion. I am sorry this offends you.

No, people with no sense of humor ruins everything. It is a good joke, that's why it is top comment.

It's not humor when it always falls to the same side.


Are there? Are there really? Because my experience on the internet is a few happy Apple customers and a monstrous tidal wave of anti-Apple hate.

And it's a different kind of hate too. Apple fans like to criticize Microsoft and Google, but Apple haters generally attack Apple fans, not Apple itself. It's very disheartening.


> Apple fans because they are crazy

Its this kind of sweeping generalisation that brings the tone of the whole site down.


Cherry picking


I don't see the problem unless you think Apple gets bashed more than Microsoft or Google here.

Do you think Apple gets more than Microsoft on HN? Please read any thread with Microsoft or one of their products in the title and you'll see M$ get bashed every single time. Google gets it too, from plenty of people.

Anyway, they deserve everything they get. Each one of those companies have made large crowds of enemies for various reasons.

Complaining about company bashing in general is fine by me. If you don't like it and you don't want it on HN, then I'm with you. You're just defending Apple though and that comes off as tone deaf and severely biased to me.

In any case, I don't see the mods banning people over a little poke like this. So, if people like it and upvote it then you should probably just counter with a downvote and refrain from commenting and derailing the entire thread like this.

Sorry you got offended. I thought it was funny and relevant.

It's not a good joke because it's not original and is what you'd see in a YouTube comment. It's also not very funny because the premise of the joke, that Apple claims to invent things others already did never happens. Apple's presentations and PR communications are deliberate and rehearsed. If they do claim something in that vein, it's because it's either true or whatever the thing they claimed to have invented/innovated was sufficiently differentiated where a neutral third party would agree.

Usually when people make derivations of this "joke", what they're really responding to is that Apple is marketing or talking about something they did with their own take on it, and they just can't help themselves from pointing out that someone else did it first, even though the implementation may differ completely. The Touch ID sensor is one example that comes to mind.

Couldn't wait for YouTubers to make a video about this or you thought that your comment wouldn't make any difference in a sea of identical mindless comments?

Or if you prefer "thanks, after this I'm going to buy a Nexus 6p"?


bugs bugs everywhere

how about you fix bugs that are already well known, like how the sd reader dies after a while in el cap?

That has nothing to do with security.

Finally, I'm going to be rich!

I wish Apple would just fix the myriad ordinary bugs, let alone focus on security.

Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact