Just imagine if those iBoot exploits were all reported for cash to Apple. Essentially we get less freedom from our devices to do whatever with them.
Apple's bug bounty announcement is just a response to tighten up their walled garden. You'd think that macOS will be as limited as a desktop `OS like iOS and iPadOS is.
I admired the pirate vs navy culture Apple had in the past, but now they are neither and now become an IBM reincarnation. Just like old times...
Considering these bug bounty programs are the most economical way to hire white hat talent, what took them so long?
Why isn’t every company doing it? The only reason I can think of is that they haven’t done a decent QA of their own system and afraid of resulting embarrassment.
“ Apple says it will add a 50 percent bonus on top of the standard payout for bugs found in beta software, which allows the company to nix the issue before the OS version goes public. It is also offering the same bonus for so-called "regression bugs"”
Quite interesting their treatment of beta. I would have thought reverse.
If you have bug bounties at all then you are incentivizing employees to create subtle bugs on purpose to have their accomplices outside the company “discover” later.
I wish Apple would also improve their process for handling “ordinary” non-security bugs.
Since the WWDC 2019 betas and even after release all the way through to the latest updates today, I still run into a bug in Apple software and services, even their IDE and APIs, almost every single day.
Just a few hours ago I had to hard-reset my MacBook because it failed to wake from sleep (beachballed) after plugging in.
This has happened a few times on my barely-a-year old MBP running the latest Catalina, freshly installed and without any system-level/third-party modifications. This is not really acceptable and triggers horrible flashbacks of my time in the Microsoft trenches.
Last time I tried to use their new bug reporter (feedbackassistant.apple.com), I got distracted by reporting all of the bugs in the bug reporter itself. It's utterly fucked up on desktop Firefox and the mobile version of Chrome. Try going to the "Where would you like to start your feedback?" page and shrinking the window until not everything is visible at once. It's impossible scroll down, so you can't file any bugs (except for maybe watchOS bugs because that's at the top of the list).
They hide other instances of bugs so you can't tell if they're de duping them correctly.
They also close them for ridiculous reasons. We've been told stuff like "diskutil isn't meant for root filesystems", etc.
As someone writing fairly low level system code for MacOS as a day job, we've institutionally given up on Apple's bug report process. It eats a lot of developer time and has never had a positive outcome for us.
I heard a rumor that Apple has never paid out any money in their invite-only bug bounty days. This 2018 article seems to suggest that is true. Does anyone have any data to the contrary?
I get this weird error on macOS terminal where it refuses to do a login into the shell and just hangs. Killing everything in activity monitor doesn't make a difference. The only way to recover is to restart.
30 comments
[ 2.4 ms ] story [ 86.4 ms ] threadDefinitely keep this bookmarked in case I happen to come across anything.
https://developer.apple.com/security-bounty/
Apple's bug bounty announcement is just a response to tighten up their walled garden. You'd think that macOS will be as limited as a desktop `OS like iOS and iPadOS is.
I admired the pirate vs navy culture Apple had in the past, but now they are neither and now become an IBM reincarnation. Just like old times...
iOS has always been in scope. What you are saying should’ve already been able to happen wrt iBoot.
Why isn’t every company doing it? The only reason I can think of is that they haven’t done a decent QA of their own system and afraid of resulting embarrassment.
Quite interesting their treatment of beta. I would have thought reverse.
Since the WWDC 2019 betas and even after release all the way through to the latest updates today, I still run into a bug in Apple software and services, even their IDE and APIs, almost every single day.
Just a few hours ago I had to hard-reset my MacBook because it failed to wake from sleep (beachballed) after plugging in.
This has happened a few times on my barely-a-year old MBP running the latest Catalina, freshly installed and without any system-level/third-party modifications. This is not really acceptable and triggers horrible flashbacks of my time in the Microsoft trenches.
And then encourage others to also log the bug.
Apple prioritises which bugs to fix based on the severity and how common it is.
They also close them for ridiculous reasons. We've been told stuff like "diskutil isn't meant for root filesystems", etc.
As someone writing fairly low level system code for MacOS as a day job, we've institutionally given up on Apple's bug report process. It eats a lot of developer time and has never had a positive outcome for us.
https://www.vice.com/en_us/article/7xqdxe/google-project-zer...