Yep, this lines up with my experience. I've been trying to work with Apple on a critical security vulnerability for over a year now that affects over 100 million systems. When I'd ask the payout ranges at the beginning, I've had multiple people just block me as a contact and Apple themselves refuse to answer. Apple has a strict stance of submitting all of the research up front with no expectations as far as payment. Today, I've been ghosted by Apple, no reply to multiple emails. The last message I have is them saying they're fixing it. I chose the ethical route at a steep cost, the average price of the vulnerability from the other buyers I was talking to was 475K. There have been attempts to hack me 2 days after requesting a quote from some buyers. The most I can hope from Apple is 1/4th that. It really is the poorest communication out of any program I've done with the exception of AT&T's, who patched an RCE in their employee portal I reported (two months later) and then emailed me 6 months later saying there was no RCE. I've been told Apple is getting better with their communication over time, and now their average turnaround is 10 months.
Wow. "Apple’s bug bounty program offers $100,000 for attacks that gain “unauthorized access to sensitive data.” Apple defines sensitive data as access to contacts, mail, messages, notes, photos or location data."<p>But a hack that allows arbitrary, malicious applications to be installed doesn't count; even though it could send any user files on the computer (so any data that is not encrypted by its consuming application). That seems...a bit of a logical leap. I mean, yes, it can't let you access iCloud photos, but a random JPG on your computer is totally fair game, so even with their list, it feels like it should be included (let alone the excel file with revenue figures that are going to be broadcast at the next quarterly result meeting with shareholders, or the HR docs containing PII, or...)
Internal at Apple Ivan took over the team and then gotrid of all MSRC managers and half employees before rewards program launched. Team drove into ground after and churn through manager after manager, everyone leave
I'm always surprised by companies like Apple that have so much money that paying out bounties should be no issue at all. It feels like Apple doesn't like being on the weaker side of a negotiation.<p>Maybe I'm a little naive, but I would set up a bounty program at Apple that was very lucrative for security researchers to report their bugs. The main goal would be to make the holders of security vulnerabilities concerned that someone might submit a bug report and make their million-dollar bug worth zero.
I have a CVE from Apple for a vulnerability in a consuming-facing mobile application RE improper data access & failed obfuscation of sensitive information. People think the CVE is cool and all, and it might help me get my next job, but for now it hasn't helped me put any food on the table. Maybe next time I'll call China, Russia, randoms on Twitter, go public before reporting to them, et cetera. Incentives are f'd up.
I haven't read the article, because fuck paywalls. But given the stories from hackers that drip here and there, I have got a feeling they are setting forth conditions that are too crazy to be even taken seriously, compared to competitors.<p>It could be that 0-days are easier just to sell to black market and not bother with Apple's ridiculousness and red tape.