



If you do not maintain a good relationship with the extension / bug reporter, you may not be able to control the disclosure timeline.

The Washington Post today reported that additional tweaks could be used in Apple’s relationship with third-party security researchers. Specifically, Apple’s “Bug Bounty” program is a way to encourage ethical security researchers to find and responsibly disclose security issues with their products, which is not convenient for researchers. It seems that payment is slower than the industry standard.

According to the post, we interviewed more than 20 security researchers who contrasted Apple’s bug bounty program with similar programs from competitors such as Facebook, Microsoft, and Google. According to Katie Moussouris, CEO of Luta Security, these researchers are tempted by serious communication problems and a lack of general trust between Apple and the infosec community to “a bug bounty program where homes always win.” Claims to be.

Lack of communication and unpaid bounties

Software engineer Tian Zhang seems to be the perfect example of Musris’s anecdote. In 2017, Zhang reported a serious security flaw in Apple’s home automation platform, HomeKit. Basically, this flaw allowed anyone with an Apple Watch to physically take over HomeKit-managed accessories such as smart locks, security cameras, and lights.

After a month of repeated emails to unresponsive Apple Security, Zhang asked Apple news site 9to5Mac to contact Apple PR, which stated it was “much more responsive” than Apple Product Security. Two weeks later, six weeks after first reporting the vulnerability, iOS 11.2.1 finally fixed the issue.

According to Zhang, his second and third bug reports were ignored again by Product Security without any bounty payments or credit grants, but the bug itself was fixed. Zhang’s Apple Developer Program membership has been revoked after the third bug was submitted.

advertisement

Despite granting the app “only in use” permissions, Brunner found that his app actually received 24/7 background permissions.

Swiss app developer Nicolas Brunner had a similarly frustrating experience in 2020. While developing an app for Swiss Federal Roads, Brunner mistakenly discovered a serious iOS location tracking vulnerability that allowed iOS apps to track users without their consent. Specifically, it grants access to location data only while the app is actually allowed permanent 24/7 tracking access to the app in the foreground.

Brunner reported the bug to Apple, which eventually fixed the bug in iOS 14.0 and acknowledged Brunner’s credit in the security release notes. However, Apple dithered about paying him for seven months, and eventually about paying the bounty, “reported issues and your proof of concept do not show the categories listed,” he said. Notified to. According to Brunner, Apple stopped responding to his email after the notification, despite a request for clarification.

According to Apple’s own payment page, Brunner’s bug finds could be eligible for a $ 25,000 or $ 50,000 bounty in the “User-installed apps: Unauthorized access to sensitive data” category. This category specifically refers to “Confidential data normally protected at TCC prompts” and later defines “Confidential data” on the payment page to “real-time or historical accurate location data, or usually prevented by the system”. Include “similar user data that will be”.

When asked to comment on Bruner’s case, Apple’s Head of Security Engineering and Architecture, Ivan Kursty, told The Washington Post: “If you make a mistake, fix it quickly and speed up the program. I’m trying to learn to improve. “

The unfriendly program Enlarge / Vulnerability broker Zerodium offers significant incentives for zero-day bugs and resells them to threat actors such as NSO Group in Israel.

Moussouris, who helped create bug bounty programs for both Microsoft and the Pentagon, said in a post, “Before trying a sound bug vulnerability disclosure program, you need to have a sound internal bug fix mechanism.” Told. Musolis went on to say, “What do you think will happen? [researchers] Would you like to report a bug that you already know but haven’t fixed? Or what if it is reported that the fix will take 500 days? “

Advertising One such option is to bypass the relatively unfriendly bug bounty program run by the vendor in question and instead sell the vulnerability to a gray market broker. Instead, threat actors such as Israeli NSO Group can purchase access. Zerodium offers up to $ 2 million in rewards for the most serious iOS vulnerabilities, but there are also less serious vulnerabilities, such as Brunner’s location exposure bug in the “up to $ 100,000” category.

Former NSA research scientist Dave Aitel told the post that Apple’s closed and secrecy approach to dealing with security researchers hampers the security of the entire product. “Good relationships with the security community give us a strategic vision that goes beyond the product cycle. Hiring a lot of smart people is only so far,” Aitel added. I did.

Bugcrowdfounder Casey Ellis states that companies should pay researchers if a reported bug leads to a code change that closes the vulnerability. “The more sincere, the more productive the bounty program will be,” he said.

Runaway success?

The description of Apple’s own bug bounty program is clearly more rosy than the case above, and seems to suggest a reaction from the broader security community.

“The Apple Security Bounty program was a huge success,” Ivan Krsty, head of Apple Security Engineering and Architecture, told The Washington Post. According to Krsti, the company almost doubles its annual bug bounty payments and leads the industry in average bounty amounts.

“We are working hard to expand our program in the midst of dramatic growth and will continue to provide the best rewards for security researchers,” continued Krsi. However, despite Apple’s total prizes increasing year-over-year, the company paid a total of $ 13.6 million and $ 6.7 million in its latest annual report, compared to Apple’s $ 3.7 million. It lags far behind its rivals Microsoft and Google.

Sources 1/ https://Google.com/ 2/ https://arstechnica.com/information-technology/2021/09/infosec-researchers-say-apples-bug-bounty-program-needs-work/ The mention sources can contact us to remove/changing this article

What Are The Main Benefits Of Comparing Car Insurance Quotes Online

LOS ANGELES, CA / ACCESSWIRE / June 24, 2020, / Compare-autoinsurance.Org has launched a new blog post that presents the main benefits of comparing multiple car insurance quotes. For more info and free online quotes, please visit https://compare-autoinsurance.Org/the-advantages-of-comparing-prices-with-car-insurance-quotes-online/ The modern society has numerous technological advantages. One important advantage is the speed at which information is sent and received. With the help of the internet, the shopping habits of many persons have drastically changed. The car insurance industry hasn't remained untouched by these changes. On the internet, drivers can compare insurance prices and find out which sellers have the best offers. View photos The advantages of comparing online car insurance quotes are the following: Online quotes can be obtained from anywhere and at any time. Unlike physical insurance agencies, websites don't have a specific schedule and they are available at any time. Drivers that have busy working schedules, can compare quotes from anywhere and at any time, even at midnight. Multiple choices. Almost all insurance providers, no matter if they are well-known brands or just local insurers, have an online presence. Online quotes will allow policyholders the chance to discover multiple insurance companies and check their prices. Drivers are no longer required to get quotes from just a few known insurance companies. Also, local and regional insurers can provide lower insurance rates for the same services. Accurate insurance estimates. Online quotes can only be accurate if the customers provide accurate and real info about their car models and driving history. Lying about past driving incidents can make the price estimates to be lower, but when dealing with an insurance company lying to them is useless. Usually, insurance companies will do research about a potential customer before granting him coverage. Online quotes can be sorted easily. Although drivers are recommended to not choose a policy just based on its price, drivers can easily sort quotes by insurance price. Using brokerage websites will allow drivers to get quotes from multiple insurers, thus making the comparison faster and easier. For additional info, money-saving tips, and free car insurance quotes, visit https://compare-autoinsurance.Org/ Compare-autoinsurance.Org is an online provider of life, home, health, and auto insurance quotes. This website is unique because it does not simply stick to one kind of insurance provider, but brings the clients the best deals from many different online insurance carriers. In this way, clients have access to offers from multiple carriers all in one place: this website. On this site, customers have access to quotes for insurance plans from various agencies, such as local or nationwide agencies, brand names insurance companies, etc. "Online quotes can easily help drivers obtain better car insurance deals. All they have to do is to complete an online form with accurate and real info, then compare prices", said Russell Rabichev, Marketing Director of Internet Marketing Company. CONTACT: Company Name: Internet Marketing CompanyPerson for contact Name: Gurgu CPhone Number: (818) 359-3898Email: [email protected]: https://compare-autoinsurance.Org/ SOURCE: Compare-autoinsurance.Org View source version on accesswire.Com:https://www.Accesswire.Com/595055/What-Are-The-Main-Benefits-Of-Comparing-Car-Insurance-Quotes-Online View photos