Slashdot Mirror

← Back to Stories (view on slashdot.org)

iPhone Bugs Are Too Valuable To Report To Apple (vice.com)

Posted by msmash on from the big-dilemma dept.

An anonymous reader writes: Last year, Apple launched a long-awaited bug bounty program to reward friendly hackers who report flaws in the iPhone to the company. Despite inviting some of the best hackers in the world to join, it's a bit of a flop so far. The iPhone's security is so tight that it's hard to find any flaws at all, which leads to sky-high prices for bugs on the grey market. Researchers I spoke to are reluctant to report bugs both because they are so valuable and because reporting some bugs may actually prevent them from doing more research. "People can get more cash if they sell their bugs to others," said Nikias Bassen, a security researcher for the company Zimperium, and who joined Apple's program last year. "If you're just doing it for the money, you're not going to give [bugs] to Apple directly." Patrick Wardle, a former NSA hacker who now specializes in MacOS research and was invited to the Apple bug bounty program, agreed. He said that iOS bugs are "too valuable to report to Apple."

10 of 96 comments (clear)

  1. So just increase the bounty... by Anonymous Coward · · Score: 5, Insightful

    Apple's pockets are a little deeper than most.

    They could surely increase the bounty to a point where no one could possibly compete with them.

    1. Re:So just increase the bounty... by Kergan · · Score: 3, Interesting

      They might, but someone at Apple might also be thinking "no, they're actually full of shit and haven't found critical issues yet" until a zero day rears its ugly head. It's not like Apple could buy the stuff at an auction or something - or could they?

    2. Re:So just increase the bounty... by jeremyp · · Score: 4, Insightful

      I don't think the economics will work.

      iOS bugs are presumably valuable because they allow you to exploit users for lots of $$$ and because they are rare. If Apple raises the bounty, then unfixed bugs will become even rarer and grey market prices will rise and you are back where you started.

      --
      All I want is a secure system where it's easy to do anything I want. Is that too much to ask ~~ Randall Munroe
    3. Re:So just increase the bounty... by Anonymous Coward · · Score: 5, Insightful

      You are not right back where you started. You just said by raising the price unfixed bugs will become even rarer, which is the goal of a bug bounty program.

    4. Re:So just increase the bounty... by gurps_npc · · Score: 4, Insightful

      Not true.

      There are three markets for the bugs..

      1) Apple.
      2) Small time thieves (Mafia and their ilk)
      3) Big time thieves (NSA, Mossad, KGB, ISIS, etc.)

      The later two want the bugs to be cheap. But Apple should want the bugs to be expensive. And they can make it so.

      Apple can raise the price enough that thieves can't afford to outbid them. Granted, Apple can't outbid NSA and the other such global organizations. But they can outbid the small time thieves.

      Right now Apple is being cheap and letting common thieves outbid them. That is stupid. They should at least up the ante to the point that only the big time thieves, including terrorists and spy agencies to purchase the bugs.

      --
      excitingthingstodo.blogspot.com
  2. Then Apple is not paying well enough by Anonymous Coward · · Score: 3, Insightful

    Then Apple is not paying well enough if the grey* market pays better.

    * NSA, FAPSI, 3PLA, etc

  3. Don't call them researchers by Hentes · · Score: 4, Informative

    Someone willing to sell bugs to criminals if they pay better is greyhat at best.

    1. Re:Don't call them researchers by Stan92057 · · Score: 5, Insightful

      Wouldn't call them gray either, they are black-hats 100% why call them gray? What good have they done? the bug they found will be exploited criminally. Now lol if they sold the bug to a criminals then turn around and sell it to apple then i would tag them gray.

      --
      Jack of all trades,master of none
  4. Re:There is always a solution: by Bing+Tsher+E · · Score: 4, Insightful

    Thus lowering the quality of the developers who work on iOS which increases the bug count.

    No, I don't think a positive feedback loop is a good idea.

  5. Apple is much better off with this approach by Tanman · · Score: 3, Insightful

    One would be a fool to think that Apple does not also purchase bugs on the black market through intermediaries. Having an inexpensive bug bounty gives incentive to all the white hats out there to do their part to increase Apple security.

    For everyone else, Apple will buy exploits in the wild paying market value. If they increased their bug bounty program to this level, it would not increase their ability to get ahead of black hats since they would have to pay over market price to lure them over, but it would make all their other submitted bugs more expensive.