Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Bug Hunter Urges Apple To Change Its iOS Security Culture; Asks Tim Cook To Donate $2.45 Million To Amnesty For His Unpaid iPhone Bug Bounties (threatpost.com)

Posted by msmash on from the how-about-that dept.

secwatcher writes: Prolific Google bug hunter Ian Beer ripped into Apple on Wednesday, urging the iPhone maker to change its culture when it comes to iOS security. The Verge: "Their focus is on the design of the system and not on exploitation. Please, we need to stop just spot-fixing bugs and learn from them, and act on that," he told a packed audience. Per Beer, Apple researchers are not trying to find the root cause of the problems. "Why is this bug here? How is it being used? How did we miss it earlier? What process problems need to be addressed so we could [have] found it earlier? Who had access to this code and reviewed it and why, for whatever reason, didn't they report it?" He said the company suffers from an all-too-common affliction of patching an iOS bug, but not fixing the systemic roots that contribute to the vulnerability. In a provocative call to Apple's CEO Tim Cook, Beer directly challenged him to donate $2.45 million to Amnesty International -- roughly the equivalence of bug bounty earnings for Beer's 30-plus discovered iOS vulnerabilities.

1 of 79 comments (clear)

  1. Re:He missed something...no surprise by orlanz · · Score: 3, Informative

    So true. Our company's iOS count is in the mid 5 digit range. And early on, there was a Exchange Calendar glitch that we just couldn't solve. It would only appear on iOS and not the numerous non-iOS devices.

    It took us MONTHS to get Apple to even see that there was an issue. Some guy in a forum figured it out but it took us MONTHS to have them accept that it was an issue with how they implemented the ActiveSync protocols. It took almost 18 months for Apple to actually fix the problem (the fix itself was fairly simple, related to assigning a meeting ID properly).

    On one meeting, we were literally told. "Corporate isn't really our target audience, so this is a low priority issue." Which is FINE, just don't be telling us this 6 months into the discussions! Atleast accept the fact that something is wrong and put a communication about it.