Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple's Lack of Bug Bounty Program May Explain Why Hackers Would Help FBI

Posted by msmash on from the you-gotta-reward-people dept.

On Wednesday, it was reported that FBI has contracted Cellebrite, an Israeli software provider specializing in mobile phone forensics, for $15,000 to break into the iPhone. It is believed that Cellebrite knows of a flaw in the iPhone which could allow circumvention of iOS' built-in security layers. Cellebrite could have worked with Apple on this flaw, but it chose to help FBI instead. It doesn't take rocket science to understand why Cellebrite chose to take the other route. The New York Times says that many security firms and hackers would love to work with Apple to further improve its products, but they don't because of a lack of incentive. There's little to no monetary incentive in helping the company with finding loopholes in its products. Apple -- unlike a number of Silicon Valley giants including Facebook, Microsoft, Google, Mozilla, and recently added to the list, Uber -- doesn't maintain a Bug Bounty program. Nicole Perlroth and Katie Benner report for the Times: When hackers do find flaws in Apple's code, they have little incentive to turn them over to the company for fixing. [...] Apple, which has had relatively strong security over the years, has been open about how security is a never-ending cat-and-mouse game and how it is unwilling to engage in a financial arms race to pay for code exploits. The company has yet to give hackers anything more than a gold star. When hackers do turn over serious flaws in its products, they may see their name listed on the company's website -- but that is it. That is a far cry from what hackers can expect if they sell an Apple flaw on the thriving underground market where a growing number of companies and government agencies are willing to pay hackers handsomely.

4 of 73 comments (clear)

  1. Stupid article is stupid... by Anonymous Coward · · Score: 5, Insightful

    So if Apple pays the hackers $10,000 then the hackers won't go to the FBI when the FBI offers them $100,000?

    What if Spectre pays the hackers one millyun dollars? Would you then write an article about how it's Apple's fault they wrote those bugs in the first place allowing crime and not paying enough a bounty so that good and noble heroic autobot white hat hackers could get paid for their awesome work?

    1. Re:Stupid article is stupid... by Shoten · · Score: 4, Insightful

      So if Apple pays the hackers $10,000 then the hackers won't go to the FBI when the FBI offers them $100,000?

      What if Spectre pays the hackers one millyun dollars? Would you then write an article about how it's Apple's fault they wrote those bugs in the first place allowing crime and not paying enough a bounty so that good and noble heroic autobot white hat hackers could get paid for their awesome work?

      You're onto part of the real point here...but only part of it. Cellebrite already makes their living doing this kind of thing; they're the primary producer of forensic tools for mobile devices. They used to do iPhones, back before it got so hard to hack them that it wasn't worth their time any longer. When troops in the field capture cellular devices and they want to know what is in them? They plug them into a Cellebrite device.

      So, 1, Cellebrite isn't 'hackers,' it's a company with a business model that focuses on pulling data out of devices when you don't have the PIN to unlock them. And 2, a bug bounty program isn't meant to deter companies from producing forensic tools.

      --

      For your security, this post has been encrypted with ROT-13, twice.
    2. Re:Stupid article is stupid... by Anonymous Coward · · Score: 2, Insightful

      So if Apple pays the hackers $10,000 then the hackers won't go to the FBI when the FBI offers them $100,000?

      I wouldn't put it past the FBI to pay someone $100k for an exploit which Apple already fixed.

      The point is that if you find a good exploit for an Apple product, you can either get a nice sticker to put on your fridge along with your crayon artwork, or you can go and sell it for a pile of money to law enforcement, security firms, or blackhat hackers on the 'darknet'. Then a bunch of people are running around with a Zero Day which Apple may not even be aware of.

      OR, Apple could start a 'bug bounty' program, where people can get paid to tell THEM about an exploit first, and they stand a chance of fixing the issue before it starts showing up in the wild.

  2. What? by jittles · · Score: 5, Insightful

    So you're claiming that a company who specializes in helping government break into phones and do a forensic analysis on phones would rather take a meager bug bounty than potentially earn millions by aiding government spying and investigation? Yes that makes perfect sense. Do these NYT authors know that NASA is hiring rocket scientists?