No idea why is Apple being greedy here. They have enough money and there are going to be buyers out there, who are going to have other intentions, which could become much more expensive for Apple. Save a cent to lose dollar kind of situation.
Apple is often very stingy and greedy, but I don't think this is an example of this.
This is 'just' a skill issue. Culturally, it's seems this is not a process they're very good at running. A bunch of similarities to their App Review process which isn't well regarded.
Promise of getting more money is not a justification for selling exploits to the criminals. Even if Apple had no bug bounty program, reporting it responsibly is the moral thing to do.
That's easy to say when you're not a security researcher whose income depends on getting paid for finding vulnerabilities—a career that wouldn't exist if Apple hadn't created the bounty program in the first place. It's really bad when you do good work that a third party goes back on their promise to pay you for: it's not always possible to accept the L and move on without pay.
I'm a security researcher, but it's true that my income doesn't depend on getting paid for security vulnerabilities[1]. On the other hand, I'm old enough to remember when bug bounties didn't exist and yet (most) people did the right thing and disclosed their finds responsibly.
If the bug from OP falls under Apple's bug bounty and yet Apple refuses to pay, it's a very shitty behaviour and I hope they're forced to pay by the backlash and the researcher is made right. But if not, the reasonable response is to stop doing security research for free for Apple, not doing research with a goal of using it immorally due to a kneejerk reaction. If Apple stops their bug bounty program today this is still not a justification to look for vulnerabilities in their products and sell them on the black market.
[1] I'm mostly dealing with the people abusing the vulnerabilities, so that may influence my worldview.
It's pretty undeniable that there exists a significant cohort of folks whose sole reason for getting into security is to find vulnerabilities to collect bounties. Beg bounties are that taken to an extreme.
> But if not, the reasonable response is to stop doing security research for free for Apple, not doing research with a goal of using it immorally due to a kneejerk reaction.
I'm sure lots of people will! But that won't necessarily stop folks from saying "I've discovered a vulnerability that would yield me an amount of money that would substantially improve my near-to-medium-term quality of life" and doing what's necessary to profit from that. Apple's program _necessarily_ inflates the amount of money a vulnerability sells for through immoral channels regardless of whether anyone is participating in it.
> If Apple stops their bug bounty program today this is still not a justification to look for vulnerabilities in their products and sell them on the black market.
This might be true for you, but that doesn't mean it's true for even a majority of other people.
I pin the responsibility on Apple. They created a bounty system which incentivized people to build their livelihoods around finding these issues. They subsequently decided they wouldn't pay out those incentives essentially at random. If putting food on the table means getting paid for vulnerabilities, it's only rational to sell your work to whoever else is going to pay for it. Apple _created this market_ (and, you might argue, put the vulnerability into production). The only bad look here is Apple, imo.
No, this is simply cause and effect. I wager a number of security researchers don’t find any moral issue with selling exploits, but prefer to be paid a bounty by the big corp due to ease and cachet. If that’s no longer tenable, they will hold up their middle fingers and just keep doing what they do. You can tell them they’re acting immorally all day long, but you will only be wasting your breath.
We live in a capitalist society that the companies at the very top absolutely love to exploit. They also love to exploit "but think of the <patients>,<the people>,<the children>" and so on.
By this logic, you're not even pretending you're better than this. You're not angry at Apple because they love to exploit, you're angry at them because you're not powerful enough to exploit others too.
Do you agree with this statement? If not, I think there's a contradiction. You are morally obliged to do the right thing even if there are entities who don't.
Is this normal? I’m only ancillary to security stuff like this but without details of the exploit it’s hard to say whether or not this is scandalous or not. It’s possible Apple made a mistake here, but is that a more likely scenario than the vuln just not being exploitable enough to warrant a bounty?
It was notable enough to be mentioned in their release notes for iOS 17.5, https://support.apple.com/en-gb/HT214101. I think that if they have to patch it, it's serious enough to reward the researcher for it. Like, it's not charity, it's not a thank you, it's an investment in their own platform's security. By not paying out they are only hurting themselves.
Bug bounties are a social solution to a social problem. In many ways, the actual money is less important than being seen to earnestly engage with the programme.
Being hard-nosed about refusing to pay a bounty on a privilege escalation bug is a rookie mistake. It engenders ill will and cements your relationship with security researchers as adversarial rather than cooperative.
I think this is actually the security researcher's fault. If you read the small print, this kernel bug doesn't meet the Bug Bounty Qualification Criteria of being on an OS that Apple actually gives a shit about.
They did Apple a solid, but not in accordance with the precise terms as laid out by Apple, so it's perfectly justified for Apple to take the researcher's work for nothing?
More generally, bug bounties are not a significant industry for getting people paid, Hacker1 is Uber/Lyft for hackers. Maybe in some markets bug bounties are actually valuable relative to the prices of things, but in America it’s basically impossible to pay people what they are worth to find bugs.
This kind of shit makes all of their customers less safe.
When people realise this is what they can expect from Apple they will just sell these exploits to intelligence agencies instead for who knows what purpose.
So congratulations Apple of fucking over not just this person but your entire customer base for years to come. Morons.
I'm not really sure what else you're asking for. Nobody in the world except Apple Product Security itself knows why Apple Product Security is refusing to pay a bounty in this case. It makes no sense.
