https://safirsoft.com Infosec researchers say Apple's debugging software needs to work

Apple claims that it pays for errors less than its competitors - and even slower. In particular, Apple's "bug prize" program — the way companies encourage ethical security researchers to find and responsibly disclose security issues in their products — appears less researcher-friendly and lagging behind industry standards.

The Post says it has interviewed more than a dozen security researchers who have compared Apple Bug Rewards to similar apps in competitors like Facebook, Microsoft and Google. According to Katie Mousoris, CEO of Luta Security, researchers are finding serious connectivity issues and general distrust between Apple and the IT community deceptive.

Poor connections and unpaid bonuses

Software engineer Tian Zhang appears to be an excellent example of Moussouris. In 2017, Zhang reported a major security flaw in HomeKit, Apple's home automation platform. Essentially, this flaw allows anyone with an Apple Watch to receive HomeKit-controlled accessories nearby — including smart locks, cameras, and security lights.

After a month of repeated emails to Apple Security. Without a response, Zhang used Apple News 9to5Mac to contact Apple PR — which Zhang described as much more than Apple product security. Two weeks later - six weeks after the vulnerability was first reported - the issue was finally fixed in iOS 11.2.

According to Zhang, the second and third bug reports were again ignored by Product Security, with no reward paid. Or it was registered - but the bug was fixed. Membership in the Apple Zhang Developer Program has been canceled after submitting the third error.

Advertising Despite granting Despite granting the "use only" permission to the app, find out Brunner his software The software actually got a license to run in the background 24/7.Accidentally discovered a serious iOS location tracking vulnerability that allows an iOS app to track users without their own consent, giving the app permission to access location data only if it's actually right Persistent access and the app were given 24-hour, 7-day tracking.

Brunner reported the bug to Apple, which they eventually fixed and validated in iOS 14.0. But Apple refused to reward him for seven months, telling him at The end is that it was “reporting the issue and demonstrating your understanding of the above categories.” The award does not appear. According to Brunner, Apple will no longer respond to emails after the announcement, despite requests for transparency.

According to the private payment page At Apple, it looks like Brunner bug fixing can easily be rewarded with $2,500 or even $50,000 NS. Category "User-installed application: Unauthorized access to sensitive data." It refers specifically to "sensitive data normally protected by a TCC request", and the Payments page later includes "sensitive data" including "accurate or historical location data - or similar user data", which is usually blocked by the system. . "When we make a mistake, we work hard to get them," Ivan Kristić, Apple's chief security and architecture engineer, told The Washington Post when asked for comment. Correct quickly and learn from them. Improve the application quickly.

Unfamiliar Application  The Zerodium Vulnerability vulnerability provides significant benefits to Day Z bugs, which are subsequently sold to threat actors such as the Israeli NSO. Magnification/Vulnerability The Zerodium server offers big bounties for Day Z bugs, which are later sold to threatening actors like the Israeli NSO. Zerodium” before you can get a health vulnerability detection software, you need a proper internal troubleshooting mechanism,” Mousoris, who helped create the bugs — software useful for Microsoft and the US Department of Defense — told the newspaper. If [researchers] report a problem you already knew but didn't do a solution, what do you expect to happen? Or if they report something that takes 500 days to fix? One such option is to bypass the relatively unfriendly bug program — rewarding by the vendor in question and selling the vulnerability to gray market brokers — which in turn can buy access to threat actors such as the Israeli NSO Group. The most serious iOS vulnerabilities offer rewards of up to $2 million — with more serious vulnerabilities such as Bronner's site exposure errors in the "up to $100,000" category.

Former NSA researcher Dave Ittell Apple said For the paper, “Having a good relationship with the security community gives you strategic insight beyond your product cycle.” When reported bugs lead to code changes in vulnerabilities, companies must pay researchers, even if — as Apple has done about bugs. Confusingly - the reported errors did not match the company's exact interpretation of its instructions. "The more good intentions go, the more fruitful the bounty programs," he said. It seemed clearer from the above events — and the reaction from the broader security community. Evan Kristek, Mohanad said. Q. Engineering and Security at Apple, told The Washington Post: “The Apple Security Rewards Program is an unforgettable success.” According to Krestic, the company nearly doubled its bonus form annually, leading the industry on average as a bonus.

“We are working hard to increase the program as it grows exponentially, and we will continue to provide the best rewards for security researchers,” Krestek said. Apple lags far behind its competitors Microsoft and Google — which paid a total of $13.6 million and 6.7 million $ in their most recent annual report, compared to $3.7 million for Apple.

Infosec researchers say Apple's debugging software needs to work
infosec-researchers-say-apple-s-debugging-software-needs.html

https://safirsoft.com Elan Musk says SpaceX Starlink will be out of beta next month

Elan Musk says SpaceX Starlink will be out of beta next month

With 600,000 orders, SpaceX has increased container production (hopefully) to meet demand.

The Starlink SpaceX satellite bandwidth service wi...

https://safirsoft.com $3M Supply Chain Under Attack by Crypto Startup

$3M Supply Chain Under Attack by Crypto Startup

The MISO SushiSwap launch page has been hacked by a malicious GitHub commit. SushiSwap is a decentralized, community-based financial (DeFi) platform t...
https://safirsoft.com Telegram is emerging as a new network of darkness for cybercriminals

Telegram is emerging as a new network of darkness for cybercriminals

More and more hackers are sharing their information in encrypted messaging apps.

Telegram has expanded as a hub for cybercriminals seeking to...

https://safirsoft.com Anonymous leaks 1 gigabyte of data from Epik, web host Gab and Parler

Anonymous leaks 1 gigabyte of data from Epik, web host Gab and Parler

Hackers attacked Epic just days after the Texas Republican Party website was demolished over the abortion law. Wings locations The stolen data was pos...
https://safirsoft.com Travis CI flaw reveals secrets of thousands of open source projects

Travis CI flaw reveals secrets of thousands of open source projects

Developers are angry at Travis CI's highly embarrassing "security bulletin". Travis CI is a software testing solution used by over 900,000 open source...
https://safirsoft.com Apple Fixes iMessage for the Day Exploited by Pegasus Spyware

Apple Fixes iMessage for the Day Exploited by Pegasus Spyware

The zero click defect has been exploited by the NSO since at least February 2021. The "Zero Click, Zero Day" vulnerability has been actively exploited...