Hacker News new | past | comments | ask | show | jobs | submit login
Apple Officially Announces Bug Bounty Program Covering All of Its Software (macrumors.com)
226 points by alwillis 33 days ago | hide | past | web | favorite | 27 comments



I wish Apple would also improve their process for handling “ordinary” non-security bugs.

Since the WWDC 2019 betas and even after release all the way through to the latest updates today, I still run into a bug in Apple software and services, even their IDE and APIs, almost every single day.

Just a few hours ago I had to hard-reset my MacBook because it failed to wake from sleep (beachballed) after plugging in.

This has happened a few times on my barely-a-year old MBP running the latest Catalina, freshly installed and without any system-level/third-party modifications. This is not really acceptable and triggers horrible flashbacks of my time in the Microsoft trenches.


Log the bug at http://bugreporter.apple.com

And then encourage others to also log the bug.

Apple prioritises which bugs to fix based on the severity and how common it is.


They hide other instances of bugs so you can't tell if they're de duping them correctly.

They also close them for ridiculous reasons. We've been told stuff like "diskutil isn't meant for root filesystems", etc.

As someone writing fairly low level system code for MacOS as a day job, we've institutionally given up on Apple's bug report process. It eats a lot of developer time and has never had a positive outcome for us.


Last time I tried to use their new bug reporter (feedbackassistant.apple.com), I got distracted by reporting all of the bugs in the bug reporter itself. It's utterly fucked up on desktop Firefox and the mobile version of Chrome. Try going to the "Where would you like to start your feedback?" page and shrinking the window until not everything is visible at once. It's impossible scroll down, so you can't file any bugs (except for maybe watchOS bugs because that's at the top of the list).


Apple's "improvement" in that area this year has largely had no effect or even negative ones in certain cases.




Considering these bug bounty programs are the most economical way to hire white hat talent, what took them so long?

Why isn’t every company doing it? The only reason I can think of is that they haven’t done a decent QA of their own system and afraid of resulting embarrassment.


“ Apple says it will add a 50 percent bonus on top of the standard payout for bugs found in beta software, which allows the company to nix the issue before the OS version goes public. It is also offering the same bonus for so-called "regression bugs"”

Quite interesting their treatment of beta. I would have thought reverse.


If you do it in reverse then you are incentivising people to hoard the bugs until release.


Exciting news for the white hats who have always criticized Apples terrible payouts and submission process.

Definitely keep this bookmarked in case I happen to come across anything.


If it’s official, shouldn’t this point to apple.com?


To save anyone a few clicks/taps:

https://developer.apple.com/security-bounty/


Someone posted a link to Apple's bounty site last night and it's not clear what's changed so I think a different link is justifiable.


Any idea why Apple Pay is specifically excluded?


Just a guess, but perhaps contractual terms with their partners.


I wouldn’t be surprised if PCI forbade inviting white hats.


I heard a rumor that Apple has never paid out any money in their invite-only bug bounty days. This 2018 article seems to suggest that is true. Does anyone have any data to the contrary?

https://www.vice.com/en_us/article/7xqdxe/google-project-zer...


I get this weird error on macOS terminal where it refuses to do a login into the shell and just hangs. Killing everything in activity monitor doesn't make a difference. The only way to recover is to restart.


Long overdue, but exciting news nevertheless.


Never was a fan of Apple, but indeed, really interesting information.


Just imagine if those iBoot exploits were all reported for cash to Apple. Essentially we get less freedom from our devices to do whatever with them.

Apple's bug bounty announcement is just a response to tighten up their walled garden. You'd think that macOS will be as limited as a desktop `OS like iOS and iPadOS is.

I admired the pirate vs navy culture Apple had in the past, but now they are neither and now become an IBM reincarnation. Just like old times...


Nobody forces you to buy Apple products, it's pretty weird to buy a product and then hope for a security flaw in order to use it the way you want.


But that's how I've been dealing with video games consoles for decades... Though usually after the flaw is found


If you're willing to trade away basic security for tinkerability, buy an Android device.


Quoted: Prior to now, Apple's bug bounty program was invitation-based and non-iOS devices were not included.

iOS has always been in scope. What you are saying should’ve already been able to happen wrt iBoot.


Preventing you from getting hacked is actually the real incentive. It doesn’t need to be so evil/complicated.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: