I sorted exploits by date, it made a fun short headline summary of how productive they were. Short answer: very.
I know it’s hard for senior management to want to really commit to bug bounty programs like this because it feels embarrassing and vulnerable, but posts like this should be sent around the boardroom when discussing — apple rented an AMAZING security team here.
Sam, can you disclose what you got paid for all this?
End of the post it says 51k so far. I'd expect the price to go up a LOT more, because otherwise the sane (monetary) advice becomes "report some vulnerabilities to apple, and then keep finding them and sell them to third parties".
Yeah, that is only for 4 vulnerabilities out of 55. And 3 of them were only "High." They still have 10 (!!) more critical vulnerabilities they may receive payment on.
Also, they state in the article: "However, it appears that Apple does payments in batches and will likely pay for more of the issues in the following months."
There are defense contractors that do exactly this. Governments pay more than Apple will ever pay, so if you are in it for the money (and don't care about the ethical repercussions), selling the discovered exploits to governments is the way to go.
It seems like this cooperative approach was very effective. I assume rubber duck debugging and having multiple minds attacking the problem from from multiple directions greatly improves the efficiency.
I know it’s hard for senior management to want to really commit to bug bounty programs like this because it feels embarrassing and vulnerable, but posts like this should be sent around the boardroom when discussing — apple rented an AMAZING security team here.
Sam, can you disclose what you got paid for all this?