At least it seems that they won't assign CVE IDs and credit researchers without compensating them at all (which is what happened when I reported CVE-2024-27811, for example):
> We want those researchers to have an encouraging experience — so in addition to CVE assignment and researcher credit as before, we will now also reward such reports with a $1,000 award.
A "major evolution" would be for Apple to have informative two-way conversations with security researchers and to stop stiffing them for reports.
I submitted a few macOS reports to the program, but Apple just sat on them forever, sometimes years, until I got frustrated enough to just publicly disclose the bugs. Needless to say, Apple never paid me a dime. For that reason, I don't actively look for macOS bugs anymore, and if I happen to find anything by accident, I'll just 0day.
I think that demanding full exploit chains is an excuse to ignore bugs and to discourage researchers from reporting them. What if a full exploit chain exists, but the links of the chain are known by different researchers? The researchers are incentivized to withhold bug reports without the full chain, and meanwhile an attacker who happens to have the full chain won't withhold their attack. Apple is practically making the black market for bugs more valuable.
It's basically the same as Apple demanding a sysdiagnose before they'll even look at a non-security bug report. Typo in the developer documentation? Please attach a sysdiagnose! It's ridiculous.
I think it's just reacting to the market; with MIE the cost of full chains probably go up significantly, and individual chains are worth less than what it would be when included in a full chain.
Individual chains of course are still eligible for rewards:
> Individual chain components or multiple components that cannot be linked together will remain eligible for rewards, though these are proportionally smaller to match their relative impact.
Edit:
I think those that build a full chain and attempt to sell to the regular posse would rather just take the bug bounty from Apple. There's little information about the 0day market for chains but from what I've seen it is you need to provide long term support and hoard alternative methods when different parts get discovered or break down. With MIE and other mitigations and vigilant scanning of devices, there's more chance exploits and techniques are discovered, patched, and you as VR/ED will only get a small fraction of the contract (like say $8m over a couple of years). (Someone from the 0day industry feel free to correct me.)
Yeah: this is all just noise, lies heaped upon lies. At times I've at least felt as if a few of the people involved internally "mean well", despite the company as a whole being evil... but, then I had to realize: their entirely-useless "sort of meaning well" was just causing me to slightly stall on going scorched earth on the entire program, so they were actually just yet another part of the problem. Apple--as a whole, including the people who work there, including the people who feel like they are different--just simply doesn't care about end-user security: they only care about maintaining control.
Curious how this target flag thing will work. I'm guessing each flag in the OS would be unique and possibly easy to discover. It is just when you submit your exploit/bypass to Apple in their verification environment where the security controls can't be bypassed, if you reveal the right flag they confirm the bounty?
Paying $1,000 for low-impact issues is a nice move which might make me contribute to their program again.
Thanks for notifying us, but our colleague has fixed the issue just a minute before we received your email. You can try to find some other bug tho..
Really, there is no reason to play nice with these companies, sell it on Zerodium or some other blackhat marketplace. At least you will get paid.
Don't bother. They'll find an excuse to pay $0. This is all at Apple's inscrutable discretion.
At least it seems that they won't assign CVE IDs and credit researchers without compensating them at all (which is what happened when I reported CVE-2024-27811, for example):
> We want those researchers to have an encouraging experience — so in addition to CVE assignment and researcher credit as before, we will now also reward such reports with a $1,000 award.
aren't all bug bounty program at the sponsor's inscrutable discretion?
Yes, but Apple tends to be more inscrutable than anyone else.
A "major evolution" would be for Apple to have informative two-way conversations with security researchers and to stop stiffing them for reports.
I submitted a few macOS reports to the program, but Apple just sat on them forever, sometimes years, until I got frustrated enough to just publicly disclose the bugs. Needless to say, Apple never paid me a dime. For that reason, I don't actively look for macOS bugs anymore, and if I happen to find anything by accident, I'll just 0day.
I think that demanding full exploit chains is an excuse to ignore bugs and to discourage researchers from reporting them. What if a full exploit chain exists, but the links of the chain are known by different researchers? The researchers are incentivized to withhold bug reports without the full chain, and meanwhile an attacker who happens to have the full chain won't withhold their attack. Apple is practically making the black market for bugs more valuable.
It's basically the same as Apple demanding a sysdiagnose before they'll even look at a non-security bug report. Typo in the developer documentation? Please attach a sysdiagnose! It's ridiculous.
I think it's just reacting to the market; with MIE the cost of full chains probably go up significantly, and individual chains are worth less than what it would be when included in a full chain.
Individual chains of course are still eligible for rewards:
> Individual chain components or multiple components that cannot be linked together will remain eligible for rewards, though these are proportionally smaller to match their relative impact.
Edit:
I think those that build a full chain and attempt to sell to the regular posse would rather just take the bug bounty from Apple. There's little information about the 0day market for chains but from what I've seen it is you need to provide long term support and hoard alternative methods when different parts get discovered or break down. With MIE and other mitigations and vigilant scanning of devices, there's more chance exploits and techniques are discovered, patched, and you as VR/ED will only get a small fraction of the contract (like say $8m over a couple of years). (Someone from the 0day industry feel free to correct me.)
Yeah: this is all just noise, lies heaped upon lies. At times I've at least felt as if a few of the people involved internally "mean well", despite the company as a whole being evil... but, then I had to realize: their entirely-useless "sort of meaning well" was just causing me to slightly stall on going scorched earth on the entire program, so they were actually just yet another part of the problem. Apple--as a whole, including the people who work there, including the people who feel like they are different--just simply doesn't care about end-user security: they only care about maintaining control.
Companies aren’t evil or good, they’re companies.
People can be evil or good.
Curious how this target flag thing will work. I'm guessing each flag in the OS would be unique and possibly easy to discover. It is just when you submit your exploit/bypass to Apple in their verification environment where the security controls can't be bypassed, if you reveal the right flag they confirm the bounty?