Apple says kernel vulnerability is not eligible for bounty
twitter.comNo idea why is Apple being greedy here. They have enough money and there are going to be buyers out there, who are going to have other intentions, which could become much more expensive for Apple. Save a cent to lose dollar kind of situation.
Apple is often very stingy and greedy, but I don't think this is an example of this.
This is 'just' a skill issue. Culturally, it's seems this is not a process they're very good at running. A bunch of similarities to their App Review process which isn't well regarded.
You can still get some reward for it on the dark web, surely.
I'm trying to imagine what the reasoning at Apple even is, like it's literal peanuts for them even if they paid all bug bounties in the world.
No need for dark web. Zerodium has a up to $200k bounty for privilege escalation vulns on iOS/Android.
Next time it's where it should go. Clearly Apple doesn't mind.
Promise of getting more money is not a justification for selling exploits to the criminals. Even if Apple had no bug bounty program, reporting it responsibly is the moral thing to do.
That's easy to say when you're not a security researcher whose income depends on getting paid for finding vulnerabilities—a career that wouldn't exist if Apple hadn't created the bounty program in the first place. It's really bad when you do good work that a third party goes back on their promise to pay you for: it's not always possible to accept the L and move on without pay.
I'm a security researcher, but it's true that my income doesn't depend on getting paid for security vulnerabilities[1]. On the other hand, I'm old enough to remember when bug bounties didn't exist and yet (most) people did the right thing and disclosed their finds responsibly.
If the bug from OP falls under Apple's bug bounty and yet Apple refuses to pay, it's a very shitty behaviour and I hope they're forced to pay by the backlash and the researcher is made right. But if not, the reasonable response is to stop doing security research for free for Apple, not doing research with a goal of using it immorally due to a kneejerk reaction. If Apple stops their bug bounty program today this is still not a justification to look for vulnerabilities in their products and sell them on the black market.
[1] I'm mostly dealing with the people abusing the vulnerabilities, so that may influence my worldview.
It's pretty undeniable that there exists a significant cohort of folks whose sole reason for getting into security is to find vulnerabilities to collect bounties. Beg bounties are that taken to an extreme.
> But if not, the reasonable response is to stop doing security research for free for Apple, not doing research with a goal of using it immorally due to a kneejerk reaction.
I'm sure lots of people will! But that won't necessarily stop folks from saying "I've discovered a vulnerability that would yield me an amount of money that would substantially improve my near-to-medium-term quality of life" and doing what's necessary to profit from that. Apple's program _necessarily_ inflates the amount of money a vulnerability sells for through immoral channels regardless of whether anyone is participating in it.
> If Apple stops their bug bounty program today this is still not a justification to look for vulnerabilities in their products and sell them on the black market.
This might be true for you, but that doesn't mean it's true for even a majority of other people.
> yet (most) people did the right thing and disclosed their finds responsibly.
How would you know? I'm not a security researcher and still know that there were always multiple avenues for selling vulns, and most weren't public.
So really, what makes you think you can make that statement with any kind of confidence?
And that's the reason hacking does not exist
Not a great look when many responses are "if the provider won't protect people, then the researcher should contemplate hurting people".
I pin the responsibility on Apple. They created a bounty system which incentivized people to build their livelihoods around finding these issues. They subsequently decided they wouldn't pay out those incentives essentially at random. If putting food on the table means getting paid for vulnerabilities, it's only rational to sell your work to whoever else is going to pay for it. Apple _created this market_ (and, you might argue, put the vulnerability into production). The only bad look here is Apple, imo.
No, this is simply cause and effect. I wager a number of security researchers don’t find any moral issue with selling exploits, but prefer to be paid a bounty by the big corp due to ease and cachet. If that’s no longer tenable, they will hold up their middle fingers and just keep doing what they do. You can tell them they’re acting immorally all day long, but you will only be wasting your breath.
It is a great look! We are forwarding-thinking people that realize security happens when companies have healthy bug bounty programs.
We live in a capitalist society that the companies at the very top absolutely love to exploit. They also love to exploit "but think of the <patients>,<the people>,<the children>" and so on.
Fuck you, pay me applies.
By this logic, you're not even pretending you're better than this. You're not angry at Apple because they love to exploit, you're angry at them because you're not powerful enough to exploit others too.
Do you agree with this statement? If not, I think there's a contradiction. You are morally obliged to do the right thing even if there are entities who don't.
Is this normal? I’m only ancillary to security stuff like this but without details of the exploit it’s hard to say whether or not this is scandalous or not. It’s possible Apple made a mistake here, but is that a more likely scenario than the vuln just not being exploitable enough to warrant a bounty?
It was notable enough to be mentioned in their release notes for iOS 17.5, https://support.apple.com/en-gb/HT214101. I think that if they have to patch it, it's serious enough to reward the researcher for it. Like, it's not charity, it's not a thank you, it's an investment in their own platform's security. By not paying out they are only hurting themselves.
Bug bounties are a social solution to a social problem. In many ways, the actual money is less important than being seen to earnestly engage with the programme.
Being hard-nosed about refusing to pay a bounty on a privilege escalation bug is a rookie mistake. It engenders ill will and cements your relationship with security researchers as adversarial rather than cooperative.
This is very much not normal and is absolutely a scandal.
It's pretty normal for Apple, tbh.
They have a long history of refusing to pay bug bounties.
One has to wonder how many of the exploits out there don’t end up making their way to Cupertino as a result and what the consequences of that will be.
I think this is actually the security researcher's fault. If you read the small print, this kernel bug doesn't meet the Bug Bounty Qualification Criteria of being on an OS that Apple actually gives a shit about.
What exactly is their fault?
They did Apple a solid, but not in accordance with the precise terms as laid out by Apple, so it's perfectly justified for Apple to take the researcher's work for nothing?
Apple doesn't give a shit about iOS?
More generally, bug bounties are not a significant industry for getting people paid, Hacker1 is Uber/Lyft for hackers. Maybe in some markets bug bounties are actually valuable relative to the prices of things, but in America it’s basically impossible to pay people what they are worth to find bugs.
This kind of shit makes all of their customers less safe.
When people realise this is what they can expect from Apple they will just sell these exploits to intelligence agencies instead for who knows what purpose.
So congratulations Apple of fucking over not just this person but your entire customer base for years to come. Morons.
So are we going to take this twitter post at face value? Anyone have more info?
Yes, it's literally the first item in the iOS 17.5 security release notes: https://support.apple.com/HT214101
Yep, that was in the tweet. Got any more info about the exploit or why it’s not in their categories?
I presume some in the list did received bounties?
Here are the categories: https://security.apple.com/bounty/categories/
I'm not really sure what else you're asking for. Nobody in the world except Apple Product Security itself knows why Apple Product Security is refusing to pay a bounty in this case. It makes no sense.
Well. He knows more about the exploit. Maybe he could tell us what it is.
He did: https://twitter.com/R00tkitSMM/status/1790391961737711697
Satisfied now?
Updated from his twitter: apple apparently confirmed i am right and that it’s not exploitable in real user software. Still outraged?
I literally saved the link to this story in my "look again in a couple days" folder, and lo and behold, the story makes sense again.
Yep. It explains why he didn’t get paid.