18 comments

[ 2.8 ms ] story [ 50.0 ms ] thread
Facebook - No dollar amounts listed but "If we pay a bounty it will be a minimum $500"

Amazon and Netflix, no dollar amounts listed

Microsoft offers up to $250k for "Critical remote code execution, information disclosure and denial of services vulnerabilities in Hyper-V"

Ironically that google page dumped a bunch of html into my browser, including a "script nonce" and a function definition:

    (function(H){H.className=H.className.replace(/\bgoogle\b/,'google-js')})(document.documentElement)
I'll be waiting for a cheque from them, I suppose.
Is this new? Is that why it's being posted?
Prior to now this program was invite only. They are blowing it open to all security researchers as of today.

https://apple.news/A4h_BM9HqTjSpsWKsrVPGBw

Also, max payout has been bumped to $1.5m which is a pretty big change. Most of this was announced a few months ago, they are just making good on a previous announcement at this point.

Thanks for the context. As a user of Apple devices, I'm excited about the increased attention to security!
Real $ amounts! This is how you beat the black market.
(comment deleted)
Critically, there's no information about whether reporters are allowed to disclose, which usually means that Apple is going to hide any seriously damaging vulnerabilities...
There's this:

> Not disclose the issue publicly before Apple releases the security advisory for the report. (Generally, the advisory is released along with the associated update to resolve the issue). See terms and conditions.

No guarantees, then.

I see the biggest bounty is for &1,000,000USD and says:” Zero-click kernel code l execution with persistence and kernel PAC bypass”

As someone who doesn’t speak this language, what does thismean? And are there examples in history of this type of exploit affecting a large company?

An exploit that allows full control of the device that installs with no user interaction, zero-click, and is persistent even after rebooting or power cycling the device.
This is a great explanation, thanks!
> Zero-click

No user interaction required.

> kernel code l execution with persistence

Persistent malware with root privilege.

> kernel PAC bypass

I think PAC is some protection measures.

I think PAC is some protection measures.

Pointer Authentication Code

It’s a form of pointer integrity checking that you can read about in the Platform Security Guide (this used to be called the iOS Security Whitepaper) released today: https://support.apple.com/en-sg/guide/security/seca5759bf02/...

Google’s Project Zero also wrote a post about this mechanism, including a detailed case study of where they were able to bypass it: https://googleprojectzero.blogspot.com/2019/02/examining-poi...

PAC generally protects against return-oriented and other control-flow hijacking attacks.