>People love to read morals, ethics, and politics into analyzing bug bounty submissions, but none of that is the primary factor here.
Just disregarding these things and justify it with "economics" or "it's bad business" doesn't make ethics disappear. I'm guessing you wouldn't sell exploits to ISIS even if they were the highest bidder..? What about North Korea? China? Russia? Syria? The US? The US with Trump in charge?
I personally like tptacek's comment on this from last year:
>None of them are adequate compensation for the full-time work of someone who can find those kinds of bugs. Nor are they meant to be. If you can, for instance, find a bug that allows you to violate the integrity of the SEP, you have a market value as a consultant significantly higher than that $100k bug bounty --- which will become apparent pretty quickly after Apple publicly thanks you for submitting the bug, as they've promised to do.
> which will become apparent pretty quickly after Apple publicly thanks you for submitting the bug, as they've promised to do
This is the same twisted logic that people try to use to hire photographers or graphic designers to work for them for free, because they will get "exposure". If someone does something valuable for you, you should pay, no matter how famous your brand is.
And Apple has enough cash to spare.
It's not though, since the alternative to disclosing the bug to apple is to either hoard it for yourself or sell it to someone, both of which keep the attack vector open and millions of users at risk. That's where the ethical discussion comes in, and there's not really a parallel to the case with the photographer/graphic artist.
(And just to be clear, I do think that fair compensation is a part of that ethics discussion, but it doesn't trump other concerns.)
I was not addressing the ethical question involved - just the logic behind "Apple thanks you, therefore you should be happy".
If Apple is not providing reasonable money compensation to white hat security researchers then they are willingly leaving this space opened for black hats.
I read that more as "Apple thanks you, at which point you realize you were smart enough to have made more money doing something else", not "therefore you should be happy".
You are trying to read the comment as positive of Apple's thank you and exposure, when it sounded to me much more like a reality check: I would go so far as to say Thomas's point might have been "when Apple thanks you you will come to regret wasting your time--which you now know was always valuable--on them". That isn't "you should thank Apple for making you realize that"...
> hoard it for yourself or sell it to someone, both of which keep the attack vector open and millions of users at risk.
I think this logic is inherently flawed.
If there was no monetary incentive and the only ROI was a thanks from Apple, maybe the bug in question would not have been found in the first place. Becoming aware of a bug does not suddenly put people at any more risk than they were previously in, prior to bug discovery.
>Becoming aware of a bug does not suddenly put people at any more risk than they were previously in, prior to bug discovery.
I agree, which is why I said "keep[s] [...] millions of users at risk" not "puts millions of users at risk". An unfound bug is still a potential zero-day. With something as valuable as an iphone exploit, we know multiple entities are desperately looking for it, so I wouldn't err on the side of assuming that any exploit would not be found. (or put more succintly: If you've found it, someone else might've to)
Just disregarding these things and justify it with "economics" or "it's bad business" doesn't make ethics disappear. I'm guessing you wouldn't sell exploits to ISIS even if they were the highest bidder..? What about North Korea? China? Russia? Syria? The US? The US with Trump in charge?
I personally like tptacek's comment on this from last year:
>None of them are adequate compensation for the full-time work of someone who can find those kinds of bugs. Nor are they meant to be. If you can, for instance, find a bug that allows you to violate the integrity of the SEP, you have a market value as a consultant significantly higher than that $100k bug bounty --- which will become apparent pretty quickly after Apple publicly thanks you for submitting the bug, as they've promised to do.
https://news.ycombinator.com/item?id=12230677