Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple Has Started Paying Hackers for iPhone Exploits (vice.com)

Posted by msmash on from the some-progress dept.

Lorenzo Franceschi-Bicchierai, reporting for Motherboard: In 2016, Apple's head of security surprised the attendees of one of the biggest security conference in the world by announcing a bug bounty program for Apple's mobile operating system iOS. At the beginning, Apple struggled to woo researchers and convince them to report high-value bugs. For the researchers, the main issue was that the bugs they discovered were too valuable to report to Apple, despite rewards as high as $200,000. Companies like GrayShift and Azimuth made an entire business out of exploiting vulnerabilities in Apple products, while other researchers didn't want to report bugs so they could keep doing research on iOS. But two years later, some researchers are finally reporting vulnerabilities to Apple, and the company has begun to award some researchers with bounties, Motherboard has learned.

[...] Adam Donefeld, a researcher at mobile security firm Zimperium said that he has submitted several bugs to Apple and received payments for the company. Donefeld was not part of the first batch of security researchers who were personally invited by Apple to visit its Cupertino campus and asked to join the program. But after submitting a few bugs, Donefeld told me, an Apple employee asked him if he wanted to be part of the bounty program in a phone call. "I know Apple pays people," Donefeld said in an online chat. "I'm certainly not the only payout." Another researcher, who asked to remain anonymous because they are worried about souring their relationship with Apple, said that they have submitted a few bugs and been awarded bounties, but has yet to be paid. [...] Two other researchers told Motherboard they also have concerns with or have had trouble with the program. One said they weren't paid for a bug they submitted (Motherboard could not independently confirm that the researcher did not get a payment), and another said they didn't want to participate in it at all, even after being invited. Further reading: Google Bug Hunter Urges Apple To Change Its iOS Security Culture; Asks Tim Cook To Donate $2.45 Million To Amnesty For His Unpaid iPhone Bug Bounties.

31 comments

  1. So much for being innovative by xxxJonBoyxxx · · Score: 2

    >> Apple Has (FINALLY) Started Paying Hackers for iPhone Exploits (,FOLLOWING THE FOOTSTEPS OF HUNDREDS OF OTHER TECH COMPANIES)

    1. Re: So much for being innovative by Anonymous Coward · · Score: 1

      No technical innovation, but certainly business innovation. There are lots of things that people probably shouldn't get paid for, but they do. If you have a skill, find a niche and run with it.

    2. Re:So much for being innovative by Anonymous Coward · · Score: 1

      And apple will certainly be the cheapest of them all.

    3. Re:So much for being innovative by guruevi · · Score: 4, Interesting

      If you read the article, Apple has been offering for years but some sleazy companies and researchers found it more valuable to keep the information hidden.

      --
      Custom electronics and digital signage for your business: www.evcircuits.com
    4. Re:So much for being innovative by BlueStrat · · Score: 1

      If you read the article, Apple has been offering for years but some sleazy companies and researchers found it more valuable to keep the information hidden.

      The only way this program will be successful is if Apple consistently offers more money than the NSA et al for exploits/zero-days.

      If Apple does outbid the government spy agencies, watch for a law/regulation to come down the pike to prevent it. Gotta keep tabs on the Proles or else there could be an outbreak of Constitutionalism, and we can't have *that*! That would ruin *everything* and strip us of power!

      Strat

      --
      Progressivism (aka US 'Liberalism'): Ideas so good they need a police/surveillance-state to enforce.
    5. Re:So much for being innovative by tlhIngan · · Score: 2

      The only way this program will be successful is if Apple consistently offers more money than the NSA et al for exploits/zero-days.

      Apple may be rich, but well equipped government agencies are even richer. Think about it this way - when a state sponsored company can sell an exploit to other state sponsored agencies for 7 figures (i.e., millions) how much would Apple have to pay for it?

      GreyKey and the like sell their boxes for $30K. How much do you think the exploit they use is worth?

      Apple may make more money than some countries, but those generally aren't the countries Apple is concerned about.

      Anyhow, the thinking is that if someone found it, chances are someone ELSE might find the same flaw, and perhaps they're not so well connected that getting Apple to ante up $200K is far better than trying to sell it to government agencies. It's not like hackers have patented cracking methods that no one else does, after all.

    6. Re:So much for being innovative by Anonymous Coward · · Score: 0

      "Gotta keep tabs on the Proles or else there could be an outbreak of Constitutionalism"

      I agree. The three letter agencies want to keep tabs on everyone regardless of the platform (desktop, laptop, tablet, handset, etc) or OS. And you can bet that they have thousands of exploits at their fingertips for every one of those platforms (we saw some of this through the Snowden files).

      Take your idea one step even further and they would not need to make laws to prevent outbidding the agencies for the exploits. I would say that they already have moles working within each company "planting" these exploits into many areas on every OS out there on purpose. It's cheaper to plant exploits directly into the source code than to find them by poking around from outside it. The point being that these exploits are there on purpose to satisfy your quote above.

  2. I welcome this culture shift. by jellomizer · · Score: 4, Insightful

    Thinking back 10-20 years ago. Where if people reported security flaws, the big tech companies other then thanking them for reporting the issues, would try to sue them, to put them in jail for hacking their systems. Not really understanding the hacking community and the fact that most of them are not out to do damage to other people or systems, but just the thrill of finding new ways to get in. Being able to get paid for your efforts helps instinctive the hackers to report their findings, it help the company fix there problems before it become out of hand, and makes sure people are not afraid to use technology beyond its intended purposes and innovate vs using just what is was meant for in fear of getting into trouble by Big Tech.

    --
    If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    1. Re: I welcome this culture shift. by Anonymous Coward · · Score: 0

      There's a big difference from a stranger showing up in your living room telling you that you really need to keep your windows locked and you asking for security professionals to check your windows and alert you to open windows. Permission and known intent change everything. It's not the same thing with just a changed point of view.

  3. Re: Entitlement by Anonymous Coward · · Score: 1

    They have certain skillsets and are taking opportunities to turn those skills into cash. It takes advantage of the gig economy. I'm not sure that sense of entitlement would have much to do with it in and of itself.

  4. Apple should negotiate each exploit bounty amount by JoeyRox · · Score: 4, Interesting

    Rather than capping the reward at an arbitrary value, which limits the chances of it being brought to them, Apple should have a policy that negotiates/bids the bounty amount based on the exploit's significance. The process can work by having the hacker demonstrate the exploit to Apple, without revealing how the exploit works, after which they can negotiate the bounty.

  5. Re:Apple should negotiate each exploit bounty amou by xxxJonBoyxxx · · Score: 4, Interesting

    >> having the hacker demonstrate the exploit to Apple, without revealing how the exploit works

    I'm not sure if you're trolling, but in case you're not, I can tell you that just seeing someone exploit your code gives you a LOT of clues as to what the exploit actually is. As a software developer...I've been with >1 companies that get reporting researchers to show us the exploit (against heavily instrumented website/services/etc.) and then we've fixed it without paying/recognizing the researcher AT ALL. In these cases, having a standing reward system actually benefits the reporter, as in "I think I found some XSS vulnerabilities and I'd like to apply for the $1K XSS reward - can we agree to engage under this framework?"

  6. Fuck apple by Anonymous Coward · · Score: 0

    Sell to the highest bidder.

  7. Pennies by Anonymous Coward · · Score: 0

    only pennies... and remember, in the past when people have reported serious security flaws, Apple have lingered and taken as much as 10 months to patch them, even when the fixes were trivial, because they want to give government access until they say they no longer need it.

    If you think your Apple device is secure and that there's no way in, you're kidding yourself.

  8. Re:Apple should negotiate each exploit bounty amou by JoeyRox · · Score: 1, Troll

    The hacker wouldn't even need to show the exploit. He can simply state how much the system is compromised by the exploit, and give a general idea on how easy the exploit is to perform. That would be enough for Apple to assign a value to it and draw up the contract. Actual payment would occur once the exploit is demonstrated and proven to match the hacker's claims during the negotiation.

  9. Re:Apple should negotiate each exploit bounty amou by xxxJonBoyxxx · · Score: 0

    Now you've tumbled on a reason why a standing reward program has value to the company: they want the exploit info ASAP, and ASAP and "negotiate a contract" are on opposites sides of a time-to-fix spectrum.

  10. Re:Apple should negotiate each exploit bounty amou by JoeyRox · · Score: 1

    Right, because it's impossible for Apple to have a boilerplate contract already on hand and plug in the specifics for a specific exploit in less than a few hours, with the total monetary negotiation taking not much longer. You're reaching.

  11. Re:Apple should negotiate each exploit bounty amou by Anonymous Coward · · Score: 0

    At this point, it would make more sense to have the boilerplate already filled in with the various degrees of exploit.

    Which, if I am not mistaken, is where we started (prices listed apriori).

  12. Re:Apple should negotiate each exploit bounty amou by xxxJonBoyxxx · · Score: 1

    >> few hours, with the total monetary negotiation taking not much longer

    You haven't ever negotiated a business contract, have you? :)

  13. Re:Apple should negotiate each exploit bounty amou by xxxJonBoyxxx · · Score: 1

    Right.

  14. Re:Apple should negotiate each exploit bounty amou by JoeyRox · · Score: 1

    All the time. In this case there's nothing to negotiate - Apple will set all the terms, the parties will settle on an amount, and the hacker can either take it or leave it. The terms outside consideration wouldn't be negotiable.

  15. Re: Aw, poor Juden shekelboy "h4x0r", lol... apk by Anonymous Coward · · Score: 0

    You suck the botfly maggots from your mother's infected clit