Comment by netsec_burn

5 years ago

It mystifies me too. I'm an independent security researcher that currently has a vulnerability in macOS with grave implications. I'd like to sell it to Apple for a fair price, but their security email is a dead end. Every time I've reached out they want me to disclose all of my research up front, no price negotiation. After doing as many bug bounties as I have, I've been burned one too many times by companies giving ~$200 for weeks or months of effort (less than minimum wage of course) on P1/P2 vulnerabilities in their infrastructure. I'm talking to a few groups who are willing to negotiate a price with me, but I can't be sure of their intent. I want to get it patched, but it's difficult when Apple themselves are disinterested.

2 comments

netsec_burn

Reply
robocat  5 years ago

They set out what they think is a fair price here: https://developer.apple.com/security-bounty/

Do you have any reason to think that Apple could stiff people that submit vulnerabilities to them?

My understanding of game theory says that Apple’s incentives are to try to act with integrity and to pay their bounties. There may be corner cases where confusion reigns, and where Apple mistake someone for a fraud, but I would presume they need to be very rare – otherwise Apple’s reputation as a buyer would suffer and people would sell to other buyers who cared for their reputation better (and every vulnerability sold to a third party has a high expected cost to Apple. Edit: on second thoughts maybe the cost to Apple is fairly low - certainly the maximum bounty size says that).

Edit: I agree that Apple stating a maximum payout is hardly helpful. I presume third party buyers indicate a minimum value they will pay depending on the value of the vulnerability to them. There is a market here, and it isn’t clear that Apple is willing to pay market prices, perhaps because too many people/teams give their vulnerabilities to Apple for $0 (e.g. projectzero!)

  • albntomat0  5 years ago

    I think it's more complicated that just what they list on the bounty site. In this case the parent commenter has to provide all of their work to Apple, before discussions of what it's worth. Additionally, it's not like there is a clear and transparent market around the bug bounty market. Unlike the Chrome bug program which releases all of its reports, discussions, and payouts after ~90 days or so, there's no way to see the history of what's been reported to Apple.

    In what other industries is that the case?