Apparently Apple Bugs are worth more than Apple is wanting to pay...

[WMGroomAK]

So I found this to be kind of interesting and it makes some sense, however, it would appear that Apple's bug bounty program is having trouble taking off due to the actual value of those vulnerabilities...  Apple announced their program back in August 2016 and Apple has in place a bounty program with rewards ranging from $25k up to $200k (which is in line with Google's and Microsoft's program), however, there is yet to be any indication of someone claiming a reward from this program.  According to an article on Motherboard, this would appear to be due to the fact that Apple's walled garden makes it hard to have some of these exploits in the first place and therefore, the exploits that are found can be sold for $500k to $1.5 Million on the gray market.

 

https://motherboard.vice.com/en_us/article/gybppx/iphone-bugs-are-too-valuable-to-report-to-apple

Quote

In August 2016, Apple's head of security Ivan Krstic stole the show at one of the biggest security conferences in the world with an unexpected announcement.

 

"I wanna share some news with you," Krstic said at the Black Hat conference, before announcing that Apple was finally launching a bug bounty program to reward friendly hackers who report bugs to the company.

 

The crowd erupted in enthusiastic applause. But almost a year later, the long-awaited program appears to be struggling to take off, with no public evidence that hackers have claimed any bug bounties.

 

The iPhone's security is so tight that it's hard to find any flaws at all, which leads to sky-high prices for bugs on the grey market. Researchers I spoke to are reluctant to report bugs both because they are so valuable and because reporting some bugs may actually prevent them from doing more research.

...

The researchers who received an invite to join have had a chance to earn rewards ranging from $25,000 to $200,000 for bugs in iOS and MacOS, according to Krstic's talk.

 

That might sound like a lot of money. But one of the reasons why the researchers we talked to aren't itching to report bugs is that Apple's rewards aren't as high as they could or maybe should be. In the private, gray market, where companies such as Zerodium buy exploits from researchers and sell them to their customers, a method comprised of multiple bugs that can jailbreak the iPhone is valued at $1.5 million. Another firm, Exodus Intelligence, offers up to $500,000 for similar iOS exploits. These companies claim to sell only to corporations to help them protect their networks, or to law enforcement and intelligence agencies to help them hack into high-value targets.

 

It's possible that some hackers have taken advantage of Apple's bug bounty program and simply chose not to discuss it publicly, but the agreement that Apple asked researchers to sign if they wanted to participate in the program didn't strictly forbid them from discussing exploits they discovered. The agreement, which one of the researchers shared with me, only asks the researchers to wait until the bug is fixed and that the researchers "share" what they want to say with Apple before discussing the vulnerability publicly. Normally, researchers are happy to receive public recognition for their finds, both for the bragging rights, and because it helps build their resume as a hacker skilled enough to find flaws in some of the world's most secure software.

As I said, I found this kind of interesting in that the program may not be taking off due to the value of these exploits and how secretive Apple tends to be...

[Tech_Dreamer]

When you're not sure who your real enemy is.

Spoiler

 

 

[mpsparrow]

I don't use any Apple products. IMO they are just overpriced shiny junk. So the chances of my finding an Apple bug right there is basically zero. But if I did find an Apple bug I would probably do nothing about it. Just assume that someone else found it as well and reported it.

[DrMacintosh]

They payout is lower than what you can get at some private security firms so people go there. 

 

Nobody actually cares about making a platform better so long as their pocket is a little fatter. 

[Devin92]

7 minutes ago, huilun02 said:

NSA will probably pay the most for vulnerabilities

they dont pay for it. they blackmail you with your dirty secrets that they stole, and make you leave new vulnerabilities so they can go on and steal more from others. And the cycle goes on and on.

[Dabombinable]

...and then have the secrets stolen in a large hack for the world to see.

[TheUzu]

This is obviously because Apple devices are perfect and have no exploits.

 

iPhones and Macs can't get viruses.

 

Thats why you have to pay so much for extra RAM.

 

Also it's more off an effort vs reward type thing it's easier to mess with people's stuff on android and they're more android phones so why put in more effort trying to get into iOS.

[Taf the Ghost]

As pointed out, the Walled Garden effect means the bugs are more valuable. Private Security firms pay a lot more than 200k for really good ones.  Mostly as they're the ones that turn around and sell them for millions to the NSA.

[Trik'Stari]

I sell on the grey market just because I don't like Apple, Apple products, or the unwarranted popularity that the products receive.

 

If I made even a few people switch to a better platform, I'd call that worth while.

[Doobeedoo]

Of course they want to pay as less as possible so no surprise those finding bugs will take it else where.

[Commodus]

2 hours ago, Trik'Stari said:

I sell on the grey market just because I don't like Apple, Apple products, or the unwarranted popularity that the products receive.

 

If I made even a few people switch to a better platform, I'd call that worth while.

Technology isn't a fanboy war you have to 'win.'  It is, in fact, possible to prefer one platform without trashing the other one.

[Sauron]

I'd use the proper bounty program out of principle, but I can see why someone would sell them on the grey market instead... either way it's possible that, if apple raised the bounty, grey market prices would simply go up proportionally and we'd end up exactly where we started. Beyond a certain point it's just up to personal conscience. The bounty should be a reward so you don't feel stupid for being a good person and a payment for doing some of the work for them, not Apple's own grey market pitch.

[themctipers]

sell on grey market, donate to jailbreakers, sell to apple

 

most profit, and i get an iOS 10.3.2 jailbreak ! 

[DutchTexan]

On 7/7/2017 at 0:36 PM, mpsparrow said:

I don't use any Apple products. IMO they are just overpriced shiny junk. So the chances of my finding an Apple bug right there is basically zero. But if I did find an Apple bug I would probably do nothing about it. Just assume that someone else found it as well and reported it.

I hate it when people hate Apple. They make good phones, okay. I'm sorry if that bothers you. I won't defend anything other than their phones, though. But still, they invented and dominate the smartphone market for a reason.

[mpsparrow]

3 minutes ago, DutchTexan said:

I hate it when people hate Apple. They make good phones, okay. I'm sorry if that bothers you. I won't defend anything other than their phones, though. But still, they invented and dominate the smartphone market for a reason.

I am not saying that Apple is scum. They are smart people and have made a very successful business. What I disagree with are all these people who think everything else is junk and that Apple is the best in the world and the only good computer company. I know too many people like that and it has aided in me just straight staying away from Apple.

[Commodus]

7 minutes ago, mpsparrow said:

I am not saying that Apple is scum. They are smart people and have made a very successful business. What I disagree with are all these people who think everything else is junk and that Apple is the best in the world and the only good computer company. I know too many people like that and it has aided in me just straight staying away from Apple.

The reality is somewhere in between the Apple cheerleader and the Anything But Apple hater (yes, there's a name for it).  Apple generally makes good products, and I prefer them for my usage habits.  They avoid bloatware and that "race to the bottom" that you see with Android and Windows vendors (where quality is regularly sacrificed in the name of price).    However, I'm not going to pretend they're immune from problems, and I'm absolutely cool with someone buying a good Windows PC or Android phone if it's better for their needs.

 

The problem is that humans have a bad tendency toward an us-versus-them mentality: for my phone/game console/PC to win, your side has to lose.  It's harder to take a nuanced view where it's fine that your favourite gadget is less than perfect, or that competition can make that gadget better.

[abazigal]

What’s stopping you from selling to both parties?

 

If and when the bug gets fixed in a subsequent patch, it’s not like the third party can track it back to you, right?

[Energycore]

On 7/8/2017 at 10:02 AM, Commodus said:

Technology isn't a fanboy war you have to 'win.'  It is, in fact, possible to prefer one platform without trashing the other one.

Can I still hate Apple and their products anyway?

 

It's just that it's my zone of comfort to do so.

[NinJake]

If they raise the bug bounty any higher than shady Apple devs may decide it's worth the risk to try and implement their own "bug" then have a split "partner" "discover" the bug and claim the cash, and split it with the original developer who purposely put it there.