At least it seems that they won't assign CVE IDs and credit researchers without compensating them at all (which is what happened when I reported CVE-2024-27811, for example):
> We want those researchers to have an encouraging experience — so in addition to CVE assignment and researcher credit as before, we will now also reward such reports with a $1,000 award.
A "major evolution" would be for Apple to have informative two-way conversations with security researchers and to stop stiffing them for reports.
I submitted a few macOS reports to the program, but Apple just sat on them forever, sometimes years, until I got frustrated enough to just publicly disclose the bugs. Needless to say, Apple never paid me a dime. For that reason, I don't actively look for macOS bugs anymore, and if I happen to find anything by accident, I'll just 0day.
I think that demanding full exploit chains is an excuse to ignore bugs and to discourage researchers from reporting them. What if a full exploit chain exists, but the links of the chain are known by different researchers? The researchers are incentivized to withhold bug reports without the full chain, and meanwhile an attacker who happens to have the full chain won't withhold their attack. Apple is practically making the black market for bugs more valuable.
It's basically the same as Apple demanding a sysdiagnose before they'll even look at a non-security bug report. Typo in the developer documentation? Please attach a sysdiagnose! It's ridiculous.
Paying $1,000 for low-impact issues is a nice move which might make me contribute to their program again.
Don't bother. They'll find an excuse to pay $0. This is all at Apple's inscrutable discretion.
At least it seems that they won't assign CVE IDs and credit researchers without compensating them at all (which is what happened when I reported CVE-2024-27811, for example):
> We want those researchers to have an encouraging experience — so in addition to CVE assignment and researcher credit as before, we will now also reward such reports with a $1,000 award.
aren't all bug bounty program at the sponsor's inscrutable discretion?
Yes, but Apple tends to be more inscrutable than anyone else.
Thanks for notifying us, but our colleague has fixed the issue just a minute before we received your email. You can try to find some other bug tho..
Really, there is no reason to play nice with these companies, sell it on Zerodium or some other blackhat marketplace. At least you will get paid.
A "major evolution" would be for Apple to have informative two-way conversations with security researchers and to stop stiffing them for reports.
I submitted a few macOS reports to the program, but Apple just sat on them forever, sometimes years, until I got frustrated enough to just publicly disclose the bugs. Needless to say, Apple never paid me a dime. For that reason, I don't actively look for macOS bugs anymore, and if I happen to find anything by accident, I'll just 0day.
I think that demanding full exploit chains is an excuse to ignore bugs and to discourage researchers from reporting them. What if a full exploit chain exists, but the links of the chain are known by different researchers? The researchers are incentivized to withhold bug reports without the full chain, and meanwhile an attacker who happens to have the full chain won't withhold their attack. Apple is practically making the black market for bugs more valuable.
It's basically the same as Apple demanding a sysdiagnose before they'll even look at a non-security bug report. Typo in the developer documentation? Please attach a sysdiagnose! It's ridiculous.