SoylentNews is people
SoylentNews
from the fire-up-your-vibe-coding-machines dept.
With bonuses, maximum rewards can be as high as $5 million:
Since launching its bug bounty program nearly a decade ago, Apple has always touted notable maximum payouts—$200,000 in 2016 and $1 million in 2019. Now the company is upping the stakes again. At the Hexacon offensive security conference in Paris on Friday, Apple vice president of security engineering and architecture Ivan Krstić announced a new maximum payout of $2 million for a chain of software exploits that could be abused for spyware.
The move reflects how valuable exploitable vulnerabilities can be within Apple's highly protected mobile environment—and the lengths the company will go to to keep such discoveries from falling into the wrong hands. In addition to individual payouts, the company's bug bounty also includes a bonus structure, adding additional awards for exploits that can bypass its extra secure Lockdown Mode as well as those discovered while Apple software is still in its beta testing phase. Taken together, the maximum award for what would otherwise be a potentially catastrophic exploit chain will now be $5 million. The changes take effect next month.
"We are lining up to pay many millions of dollars here, and there's a reason," Krstić tells WIRED. "We want to make sure that for the hardest categories, the hardest problems, the things that most closely mirror the kinds of attacks that we see with mercenary spyware—that the researchers who have those skills and abilities and put in that effort and time can get a tremendous reward."
[...] In addition to higher potential rewards, Apple is also expanding the bug bounty's categories to include certain types of one-click "WebKit" browser infrastructure exploits as well as wireless proximity exploits carried out with any type of radio. And there is even a new offering known as "Target Flags" that puts the concept of capture the flag hacking competitions into real-world testing of Apple's software to help researchers demonstrate the capabilities of their exploits quickly and definitively.
(Score: 4, Interesting) by bzipitidoo on Friday October 24, @02:10AM (2 children)
Just for being a computer expert, I've been accused of hacking into computer systems and threatened with severe punishment. I've seen the hate and fury and fear in the eyes of the victims determined that someone pay, and they don't care whether they have the right someone. I know what they're thinking. They think if they make an example of someone, even the wrong someone, that'll scare all the other hackers straight. And severely punishing someone will help them feel better, even though that does nothing towards recovering their precious data and locking down their secrets. Well, I refuse to expose myself to such railroading.
I won't even be a white hat hacker, not with vicious fools about who are able to do that kind of hurt. No, $2 million isn't worth being manhandled and beaten by overzealous law enforcers some of whom hate smart people simply for being smart, and would love an excuse to do what they always wanted to do in high school, beat up the smart kid who ruined the curve and made them look bad. Not worth being hauled into court, and threatened with a long prison sentence, particularly if the entire lawsuit is just bullying and bluster only to cover some idiot VIP's security mistake or misunderstanding. You know, like the MAFIAA did to hundreds of file sharers.
(Score: 0) by Anonymous Coward on Friday October 24, @06:38AM (1 child)
I have had too many issues with the shenanigans Apple and Microsoft pull to care about them anymore. There is no way I would get involved with their security issues.
I once politely informed a local bank that there was a potential issue with their website. They went full blitz mode out for my blood. That was over a decade ago though, they may have changed. I'm not going to risk it.
There are companies who provide this kind of a service for a fee. They have insurance and are protected as a corporation. They can do it. Just pay them.
(Score: 2) by bzipitidoo on Saturday October 25, @03:32AM
> They went full blitz mode out for my blood.
Exactly. Shoot the messenger.