Infosec researchers say Apple’s bug-bounty program wants work

Cartoon worm in a cartoon apple.

Enlarge / When you do not keep good relationships with bug reporters, chances are you’ll not get to manage the disclosure timeline. (credit score: mhatzapa through Getty Pictures / Jim Salter)

The Washington Submit reported earlier as we speak that Apple’s relationship with third-party safety researchers might use some extra superb tuning. Particularly, Apple’s “bug bounty” program—a manner firms encourage moral safety researchers to seek out and responsibly disclose safety issues with its merchandise—seems much less researcher-friendly and slower to pay than the trade commonplace.

The Submit says it interviewed greater than two dozen safety researchers who contrasted Apple’s bug bounty program with related packages at opponents together with Fb, Microsoft, and Google. These researchers allege critical communication points and a normal lack of belief between Apple and the infosec neighborhood its bounties are presupposed to be attractive—”a bug bounty program the place the home at all times wins,” based on Luta Safety CEO Katie Moussouris.

Poor communication and unpaid bounties

Software program engineer Tian Zhang seems to be an ideal instance of Moussouris’ anecdote. In 2017, Zhang reported a serious safety flaw in HomeKit, Apple’s house automation platform. Basically, the flaw allowed anybody with an Apple Watch to take over any HomeKit-managed equipment bodily close to them—together with sensible locks, in addition to safety cameras and lights.

Learn 13 remaining paragraphs | Feedback

Leave a Reply

Your email address will not be published. Required fields are marked *