Hacker News new | comments | ask | show | jobs | submit login

Yeah this is particularly the case at Google and Facebook. If you submit a security report to Google or Facebook through their bug bounty programs and escalate it with a critical severity tag (whether or not it's justified), someone on the application security team will review it within an hour. I can say that from experience (on both sides). If it's legitimate a sev:critical vulnerability, a workaround will usually be in production within 24 hours.

I think the intrinsic failure here is that Apple is - more than any other FAANG-like tech company - fundamentally disinterested in vulnerabilities that don't represent root-capable jailbreak vectors. Or rather, they ostensibly care, but every single process is systematically designed to encourage introspection on those vulnerabilities as a categorical imperative. Other types of vulnerabilities will be treated as second class citizens, so to speak. Apple does a lot of things right from a security perspective, but this really isn't one of them in my opinion.

This is very clear despite corporate messaging if you follow along with their bug bounty program. Consider that the bar for submitting a bug bounty to Apple requires the vulnerability to be something capable of compromising the device's sandbox or root privileges. This is explicit - a userland privacy bug is not sufficient. Furthermore, the bug bounty is strictly invite only, and even some of the most accomplished and talented vulnerability researchers in the world are closed out from it: https://twitter.com/i41nbeer/status/1027339893335154688

More generally speaking, a reliable formula for putting a vulnerability in front of someone who is both qualified and paid to urgently care is the following:

1. Look up the security team at the company. Not security contact information, the team.

2. Find out individuals on that team by going through blog posts, conference talks, etc.

3. Find those people on Twitter. Tweet at several of them with the broad strokes: you have a vulnerability in X product, you need to securely report it, you believe it's N severity, how should you do it?

But of course, you shouldn't need to do this. You should be able to fire something off to security@ or, better yet, a bug bounty program.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact