Wow the Security research device looks awesome! <a href="https://security.apple.com/research-device" rel="nofollow">https://security.apple.com/research-device</a>
> Shell access is available, and you can run any tools, choose your own entitlements, and even customize the kernel.<p>Wow, I want one of this just for fun, sounds like what I want my normal iPhone to be able to do<p>> Have a proven track record of success in finding security issues on Apple platforms, or other modern operating systems and platforms.<p>Well, that put a stop to my dream...
Do they actually pay out tho? I keep hearing security researchers having difficulty getting these bounties, seems like a great business strategy out source security audits, offer massive pay outs looks good, don't pay out and keep the pot growing larger to look even better.
This is also part of a new Security Research page <a href="https://security.apple.com" rel="nofollow">https://security.apple.com</a>
> Device attack via
physical access: $5,000: Limited extraction of sensitive data from the locked device after first unlock. As an example, you demonstrated the ability to extract some contact information from a user’s locked device after the first unlock.<p>Uhhh I must be missing something here… I can trivially share a contact via email after my iPhone is unlocked?
It's a lot of talk, but I doubt Apple's honesty here.<p>See also Gui Rambo getting a measly $7,000 for a couple of fairly serious vulnerabilities.<p><a href="https://news.ycombinator.com/item?id=33348013" rel="nofollow">https://news.ycombinator.com/item?id=33348013</a>
> we’ve grown our team and worked hard to be able to complete an initial evaluation of nearly every report we receive within two weeks, and most within six days.<p>At other big tech companies, an initial evaluation of a security report will be done in 15 minutes... And if it's important, people will be woken up and a workaround will probably be deployed in a matter of hours...<p>For example, the Google security bug form[1] says "This option might really get someone out of bed."<p>[1]: <a href="https://www.google.com/appserve/security-bugs/m2/new" rel="nofollow">https://www.google.com/appserve/security-bugs/m2/new</a>