Apple claims that it pays for errors less than its competitors - and even slower. In particular, Apple's "bug prize" program — the way companies encourage ethical security researchers to find and responsibly disclose security issues in their products — appears less researcher-friendly and lagging behind industry standards.
The Post says it has interviewed more than a dozen security researchers who have compared Apple Bug Rewards to similar apps in competitors like Facebook, Microsoft and Google. According to Katie Mousoris, CEO of Luta Security, researchers are finding serious connectivity issues and general distrust between Apple and the IT community deceptive.
Poor connections and unpaid bonuses h2>
Software engineer Tian Zhang appears to be an excellent example of Moussouris. In 2017, Zhang reported a major security flaw in HomeKit, Apple's home automation platform. Essentially, this flaw allows anyone with an Apple Watch to receive HomeKit-controlled accessories nearby — including smart locks, cameras, and security lights.
After a month of repeated emails to Apple Security. Without a response, Zhang used Apple News 9to5Mac to contact Apple PR — which Zhang described as much more than Apple product security. Two weeks later - six weeks after the vulnerability was first reported - the issue was finally fixed in iOS 11.2.
According to Zhang, the second and third bug reports were again ignored by Product Security, with no reward paid. Or it was registered - but the bug was fixed. Membership in the Apple Zhang Developer Program has been canceled after submitting the third error.Advertising Despite granting the "use only" permission to the app, find out Brunner his software The software actually got a license to run in the background 24/7.Accidentally discovered a serious iOS location tracking vulnerability that allows an iOS app to track users without their own consent, giving the app permission to access location data only if it's actually right Persistent access and the app were given 24-hour, 7-day tracking.
Brunner reported the bug to Apple, which they eventually fixed and validated in iOS 14.0. But Apple refused to reward him for seven months, telling him at The end is that it was “reporting the issue and demonstrating your understanding of the above categories.” The award does not appear. According to Brunner, Apple will no longer respond to emails after the announcement, despite requests for transparency.
According to the private payment page At Apple, it looks like Brunner bug fixing can easily be rewarded with $2,500 or even $50,000 NS. Category "User-installed application: Unauthorized access to sensitive data." It refers specifically to "sensitive data normally protected by a TCC request", and the Payments page later includes "sensitive data" including "accurate or historical location data - or similar user data", which is usually blocked by the system. . "When we make a mistake, we work hard to get them," Ivan Kristić, Apple's chief security and architecture engineer, told The Washington Post when asked for comment. Correct quickly and learn from them. Improve the application quickly.
Unfamiliar Application h2> Magnification/Vulnerability The Zerodium server offers big bounties for Day Z bugs, which are later sold to threatening actors like the Israeli NSO. Zerodium” before you can get a health vulnerability detection software, you need a proper internal troubleshooting mechanism,” Mousoris, who helped create the bugs — software useful for Microsoft and the US Department of Defense — told the newspaper. If [researchers] report a problem you already knew but didn't do a solution, what do you expect to happen? Or if they report something that takes 500 days to fix? One such option is to bypass the relatively unfriendly bug program — rewarding by the vendor in question and selling the vulnerability to gray market brokers — which in turn can buy access to threat actors such as the Israeli NSO Group. The most serious iOS vulnerabilities offer rewards of up to $2 million — with more serious vulnerabilities such as Bronner's site exposure errors in the "up to $100,000" category.
Former NSA researcher Dave Ittell Apple said For the paper, “Having a good relationship with the security community gives you strategic insight beyond your product cycle.” When reported bugs lead to code changes in vulnerabilities, companies must pay researchers, even if — as Apple has done about bugs. Confusingly - the reported errors did not match the company's exact interpretation of its instructions. "The more good intentions go, the more fruitful the bounty programs," he said. It seemed clearer from the above events — and the reaction from the broader security community. Evan Kristek, Mohanad said. Q. Engineering and Security at Apple, told The Washington Post: “The Apple Security Rewards Program is an unforgettable success.” According to Krestic, the company nearly doubled its bonus form annually, leading the industry on average as a bonus.
“We are working hard to increase the program as it grows exponentially, and we will continue to provide the best rewards for security researchers,” Krestek said. Apple lags far behind its competitors Microsoft and Google — which paid a total of $13.6 million and 6.7 million $ in their most recent annual report, compared to $3.7 million for Apple.
Infosec researchers say Apple's debugging software needs to work
The Starlink SpaceX satellite bandwidth service wi...
Telegram has expanded as a hub for cybercriminals seeking to...