Slashdot Mirror

← Back to Stories (view on slashdot.org)

iPhone Bugs Are Too Valuable To Report To Apple (vice.com)

Posted by msmash on from the big-dilemma dept.

An anonymous reader writes: Last year, Apple launched a long-awaited bug bounty program to reward friendly hackers who report flaws in the iPhone to the company. Despite inviting some of the best hackers in the world to join, it's a bit of a flop so far. The iPhone's security is so tight that it's hard to find any flaws at all, which leads to sky-high prices for bugs on the grey market. Researchers I spoke to are reluctant to report bugs both because they are so valuable and because reporting some bugs may actually prevent them from doing more research. "People can get more cash if they sell their bugs to others," said Nikias Bassen, a security researcher for the company Zimperium, and who joined Apple's program last year. "If you're just doing it for the money, you're not going to give [bugs] to Apple directly." Patrick Wardle, a former NSA hacker who now specializes in MacOS research and was invited to the Apple bug bounty program, agreed. He said that iOS bugs are "too valuable to report to Apple."

22 of 96 comments (clear)

  1. So just increase the bounty... by Anonymous Coward · · Score: 5, Insightful

    Apple's pockets are a little deeper than most.

    They could surely increase the bounty to a point where no one could possibly compete with them.

    1. Re:So just increase the bounty... by Kergan · · Score: 3, Interesting

      They might, but someone at Apple might also be thinking "no, they're actually full of shit and haven't found critical issues yet" until a zero day rears its ugly head. It's not like Apple could buy the stuff at an auction or something - or could they?

    2. Re:So just increase the bounty... by jeremyp · · Score: 4, Insightful

      I don't think the economics will work.

      iOS bugs are presumably valuable because they allow you to exploit users for lots of $$$ and because they are rare. If Apple raises the bounty, then unfixed bugs will become even rarer and grey market prices will rise and you are back where you started.

      --
      All I want is a secure system where it's easy to do anything I want. Is that too much to ask ~~ Randall Munroe
    3. Re:So just increase the bounty... by Anonymous Coward · · Score: 5, Insightful

      You are not right back where you started. You just said by raising the price unfixed bugs will become even rarer, which is the goal of a bug bounty program.

    4. Re:So just increase the bounty... by gurps_npc · · Score: 4, Insightful

      Not true.

      There are three markets for the bugs..

      1) Apple.
      2) Small time thieves (Mafia and their ilk)
      3) Big time thieves (NSA, Mossad, KGB, ISIS, etc.)

      The later two want the bugs to be cheap. But Apple should want the bugs to be expensive. And they can make it so.

      Apple can raise the price enough that thieves can't afford to outbid them. Granted, Apple can't outbid NSA and the other such global organizations. But they can outbid the small time thieves.

      Right now Apple is being cheap and letting common thieves outbid them. That is stupid. They should at least up the ante to the point that only the big time thieves, including terrorists and spy agencies to purchase the bugs.

      --
      excitingthingstodo.blogspot.com
    5. Re:So just increase the bounty... by swb · · Score: 2

      Even the global security organizations have budgets and raising the prices high enough might make them less interested in high priced bugs unless they were well developed and high value. AFAIK, some of these exploits are theoretical and require a lot work to make them useful.

      I think I've also read there's kind of a supply chain for some of these bugs, from hackers to private security organizations that buy them and then resell them to state security agencies. I don't know, but I suspect that a lot of the hackers may not want to deal with state security agencies directly and prefer to sell to a middleman. If you can price the middle man out of the market, the hackers will have to either overcome their reluctance to deal with security agencies or sell to Apple, and for sufficiently high prices they may believe that the security agency price premium doesn't offset their aversion to dealing with the security agency.

    6. Re:So just increase the bounty... by cant_get_a_good_nick · · Score: 2

      OP used a bad term. Didn't mean rare as in fewer, but meant rare as in dearer. Kind of like "rare" diamonds... they're not really rare, just dear.

  2. Then Apple is not paying well enough by Anonymous Coward · · Score: 3, Insightful

    Then Apple is not paying well enough if the grey* market pays better.

    * NSA, FAPSI, 3PLA, etc

  3. What's this grey stuff? by Anonymous Coward · · Score: 2, Insightful

    If you sell it to Apple, you are a white hat hacker and helping make the product better.
    But it cost's you 7 figures per bug to be a good guy or gal.

    If you sell at market rate, it isn't a grey market, it's a black market.
    You are not only preventing something from getting fixed, you are helping folks do bad things.
    But you get a bunch of cash.
    It ought to be illegal except that is is funded by the FBI etc.

    I don't see how it would hurt Apple to pay market rates, but folks should not get away with clean cash for black activities either.

  4. Don't call them researchers by Hentes · · Score: 4, Informative

    Someone willing to sell bugs to criminals if they pay better is greyhat at best.

    1. Re:Don't call them researchers by Stan92057 · · Score: 5, Insightful

      Wouldn't call them gray either, they are black-hats 100% why call them gray? What good have they done? the bug they found will be exploited criminally. Now lol if they sold the bug to a criminals then turn around and sell it to apple then i would tag them gray.

      --
      Jack of all trades,master of none
    2. Re:Don't call them researchers by phayes · · Score: 2

      Indeed. if those who discover iOS flaws refuse to give/sell them to Apple then there is _no_ white in their hats and they are blackhats with no redeemable features.

      --
      Democracy is a sheep and two wolves deciding what to have for lunch. Freedom is a well armed sheep contesting the issue
    3. Re:Don't call them researchers by XparXnoiaX · · Score: 2

      Blackhats do research, too.
      Researchers are sometimes unethical.

      --
      Irresponsible disclosure is responsible
  5. There is always a solution: by mbkennel · · Score: 2

    Cut the pay of the iOS developers by the amount of the bug bounty.

    1. Re:There is always a solution: by Bing+Tsher+E · · Score: 4, Insightful

      Thus lowering the quality of the developers who work on iOS which increases the bug count.

      No, I don't think a positive feedback loop is a good idea.

    2. Re:There is always a solution: by FatdogHaiku · · Score: 2

      Then they quit and get replaced by cheaper developers that create more bugs.

      Prompting more payouts followed by decreased developer payments leading to cheaper developers that create more bugs...
      Now THAT'S how you simulate an economy!

      (Seriously Kidding... or Kiddingly Serious...
      I always get those mixed up...)

      --
      You have the right to remain sentient. If you give up the right to remain sentient, you will be elected to public office
  6. Re:Too hard to find flaws? by mbkennel · · Score: 2

    There are plenty of iOS users who have money, there's plenty of motivation. There aren't as many hackers because it's not very rewarding. The OS and app infrastructure is more secure, and it limits application developers in cases.

  7. Re:Too hard to find flaws? by angel'o'sphere · · Score: 2

    You seem not to lnow much how an OS works, how its security works and particularily why iOs is that secure.
    Your post is pointless.

    It starts with 'skiled hackers trying to break', you watch to many bad movies about 'hacking'.

    --
    Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
  8. Jailbreaks by Kernel+Kurtz · · Score: 2

    I'd rather they be used for that first, then Apple can fix them later.

  9. Apple is much better off with this approach by Tanman · · Score: 3, Insightful

    One would be a fool to think that Apple does not also purchase bugs on the black market through intermediaries. Having an inexpensive bug bounty gives incentive to all the white hats out there to do their part to increase Apple security.

    For everyone else, Apple will buy exploits in the wild paying market value. If they increased their bug bounty program to this level, it would not increase their ability to get ahead of black hats since they would have to pay over market price to lure them over, but it would make all their other submitted bugs more expensive.

  10. Re:Yeah but who cares by cant_get_a_good_nick · · Score: 2

    1) it's more than 15%.
    2) iOS is used by higher value targets. A lot of this came to light when a company strung 3 vulnerabilities together to make a rootkit dropper. The cost was about half a million to attack one dissident.

  11. How is this not illegal? by jonwil · · Score: 2

    A.How is it not illegal to profit from the sale of vulnerabilities in software? (other than by reporting it to the vendor and collecting a bounty) and B.How come the software vendors (who presumably dont want vulnerabilities to be bought and sold on the open market) haven't been lobbying for laws to make these vulnerability marketplaces illegal?

    Are the software companies worried that if its illegal it will just disappear into the deep web and become even harder to track and deal with? Do the software companies know that such laws will never happen because the government needs these vulnerability marketplaces as a way to get bugs to use in the spying efforts? Do the software companies know that such laws would be pointless since the action happens outside jurisdictions that might actually implement such laws?