Hacker News new | past | comments | ask | show | jobs | submit login
Google Hacker Asks Tim Cook to Donate $2.5M in Unpaid iPhone Bug Bounties (vice.com)
72 points by Varcht 8 months ago | hide | past | web | favorite | 16 comments

I didn't see it explained, is this saying that Apple owes this person 2.5 million in bug bounties? Did they refuse to pay, did he decline payment, or what?

Guessing as a Google employee paid salary to do this, his deal precludes him from collecting from Apple.

"Apple’s iPhone is one of the most—if not the most—secure consumer device on the planet."


Yes, really.

An approximate metric of the security of a system is the cost of a vulnerability to the OS divided by the number of users.

It's hard to find an up to date price list, but the relative difficulty of breaking into these bits of software hasn't changed much:


Edit: More up to date prices are here: https://www.zerodium.com/program.html

Can you give a counter-example? In the same product class what is more secure?

It doesn't say "same product class". It doesn't even stipulate consumer electronics, let alone networked consumer electronics.

My toaster is more secure.

They might be confusing effort with results. From that perspective, the iPhone had tons of security, and your toaster presumably has none.

Or maybe they wanted you to assume they meant within its product class.

I don't think they meant in comparison to my pet rock.

Then they should have compared it to other phones. Not to other "consumer devices".

If that is in fact true, and these bugs have been reported and fixed. All I expect in response from Tim is just a simple, "Done!".

I suspect the reason Ian hasn't claimed the bounties himself is because Project Zero has very specific disclosure rules. Once reported, a vulnerability gets released to the public in 90 days, even if unfixed for example.

Part of the requirements for joining apples program is probably to agree not to disclose vulnerabilities at all once discovered.

It makes sense when you think about it. Google pays Ian a salary to find bugs and treat them the way project zero wants. If Ian went to Apple, they would pay him a reward to treat the bugs the way they want. Trying to claim both is double-dipping.

Do you actually expect that? I expect them to just ignore it or respond with some excuse or reason why they won't pay.

With all the bullshit Tim talks about integrity, I don't expect anything less. Then again, I called it bullshit.

Finally they found the way in, as Goolge always do

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact