The absence of the program bug bounty played a cruel joke with Apple
It is known that, unlike its competitors, such as Google and Microsoft, Apple does not have the concept of bug bounty, i.e. a cash reward for the discovered vulnerabilities in their products. The main products that attract most of the rewriters are OS X and iOS, as well as the Safari web browser. As well as in other cases of detecting significant vulnerabilities in the kernel for the jailbreak, the last case with significant vulnerability in the company’s cryptographic service algorithms also seems to be no exception. The vulnerability was discovered by researchers at Johns Hopkins University and was fixed by Apple in the released updates for OS X, iOS and watchOS.
The NY Times notes that a recently scheduled trial in the court, where representatives of the FBI were supposed to meet with Apple managers, was postponed due to the fact that a certain firm had offered the FBI its way of extracting encrypted data from iDevice. This topic once again raised the issue of the absence of the bug bounty program, which makes security companies look for vulnerabilities in iOS and sell exploits to special services without notifying Apple.
')
Today, many companies pay cash remuneration to security researchers for finding vulnerabilities in products and services. In addition to the aforementioned Google and Microsoft, other companies such as Facebook, Twitter, Mozilla, Yandex, Uber also have bug bounty. Google has already paid security researchers more than $ 6 million for the vulnerabilities found. The company also offers $ 100,000 for finding a serious Chromebook vulnerability.
Microsoft also has its own bug bounty system, and it pays out $ 100 thousand to detect a significant vulnerability in a web browser or OS. For example, such cases include conceptual vulnerabilities that can be circumvented, which allow to bypass the so-called. mitigation methods used by Windows to block exploits by default (DEP, ASLR, CFG, SEHOP, etc.). One of the winners of such a large bug bounty was Tencent Xuanwu Lab’s well-known specialist @tombkeeper .
This situation is unacceptable for Apple, which does not offer such a program, and therefore does not stimulate the writers to search for vulnerabilities, which affects Apple’s reputation as a company. In addition to including their names in security bulletins, resellers receive nothing from the company.
Fig. A fragment from the security-announce mailing security bulletin (APPLE-SA-2016-03-21-5 OS X El Capitan 10.11.4 and Security Update 2016-002), in which Apple announces the fix for a significant iMessage vulnerability. Details of the vulnerability see here .
This creates a situation in which security companies that specialize in finding vulnerabilities in products of various vendors, it is advantageous to hold their exploits for sale and not notify the company about them. Recent events are evidence of this when, at the initiative of law enforcement, a trial with Apple was postponed due to the suggestion of one of these FBI firms to provide a tool for hacking iDevice and extracting data from there without the knowledge of passcode.
Earlier, we noted that in connection with the terrorist act in the United States, the security services wanted to get a legal basis for obtaining a tool to decrypt data from iOS devices. Apple disagreed with such a situation and it came to court, as well as a big controversy in society. Apple is not in a hurry to insert a backdoor in iOS, because it is well aware of what kind of resentment this may cause to users. Employees also threaten Apple with dismissal if the company makes concessions.
The NY Times notes that a recently scheduled trial in the court, where representatives of the FBI were supposed to meet with Apple managers, was postponed due to the fact that a certain firm had offered the FBI its way of extracting encrypted data from iDevice. This topic once again raised the issue of the absence of the bug bounty program, which makes security companies look for vulnerabilities in iOS and sell exploits to special services without notifying Apple.
')
Today, many companies pay cash remuneration to security researchers for finding vulnerabilities in products and services. In addition to the aforementioned Google and Microsoft, other companies such as Facebook, Twitter, Mozilla, Yandex, Uber also have bug bounty. Google has already paid security researchers more than $ 6 million for the vulnerabilities found. The company also offers $ 100,000 for finding a serious Chromebook vulnerability.
Microsoft also has its own bug bounty system, and it pays out $ 100 thousand to detect a significant vulnerability in a web browser or OS. For example, such cases include conceptual vulnerabilities that can be circumvented, which allow to bypass the so-called. mitigation methods used by Windows to block exploits by default (DEP, ASLR, CFG, SEHOP, etc.). One of the winners of such a large bug bounty was Tencent Xuanwu Lab’s well-known specialist @tombkeeper .
This situation is unacceptable for Apple, which does not offer such a program, and therefore does not stimulate the writers to search for vulnerabilities, which affects Apple’s reputation as a company. In addition to including their names in security bulletins, resellers receive nothing from the company.
Fig. A fragment from the security-announce mailing security bulletin (APPLE-SA-2016-03-21-5 OS X El Capitan 10.11.4 and Security Update 2016-002), in which Apple announces the fix for a significant iMessage vulnerability. Details of the vulnerability see here .
This creates a situation in which security companies that specialize in finding vulnerabilities in products of various vendors, it is advantageous to hold their exploits for sale and not notify the company about them. Recent events are evidence of this when, at the initiative of law enforcement, a trial with Apple was postponed due to the suggestion of one of these FBI firms to provide a tool for hacking iDevice and extracting data from there without the knowledge of passcode.
Earlier, we noted that in connection with the terrorist act in the United States, the security services wanted to get a legal basis for obtaining a tool to decrypt data from iOS devices. Apple disagreed with such a situation and it came to court, as well as a big controversy in society. Apple is not in a hurry to insert a backdoor in iOS, because it is well aware of what kind of resentment this may cause to users. Employees also threaten Apple with dismissal if the company makes concessions.
Source: https://habr.com/ru/post/279971/
All Articles