Google hacker wants money from Apple... for charity
Project Zero is Google's effort to clean up code by finding exploits, reporting them to companies, and then giving them a hard deadline before going public. Ian Beer is a Project Zero hacker who focuses on Apple and feels like his efforts should warrant some compensation... for charity:
Hi @tim_cook, I've been working for years to help make iOS more secure. Here's a list of all the bugs I reported which qualified for your bug bounty since its launch, could you invite me to the program so we can donate this money to @amnesty? pic.twitter.com/VUKj7BaJ4PHi @tim_cook, I've been working for years to help make iOS more secure. Here's a list of all the bugs I reported which qualified for your bug bounty since its launch, could you invite me to the program so we can donate this money to @amnesty? pic.twitter.com/VUKj7BaJ4P— Ian Beer (@i41nbeer) August 8, 2018August 8, 2018
The gist is, Apple introduced a bug bounty program last year, and pays out double if you donate to charity, but it's invitation only. And, since Beer works for Google, he's already paid to find and report these bugs.
Both having a bug bounty program be invitation only and having a team paid to find other people's bugs are edge cases when it comes to big tech companies.
Apple has also been criticized for not paying as much as nation-states or criminals might for iOS or macOS zero-day exploits. From the start, though, Apple made it clear the bug bounty program was never intended to be part of a bidding war with bad actors but as a way for researchers and white hats to get some compensation for doing the right thing and responsibly disclosing potential exploits.
Apple has a security team that works on its own new features and audits other features to prevent as many exploits as possible from reaching customers, and it also includes a red team that responds to any exploits that are discovered in the wild.
Beer doesn't think it goes far enough, though. If you're into information security, you can check out the slides from his Black Hat talk for more.
Here are the slide from my #blackhat talk yesterday: https://t.co/pgoM7IolPn Please expand the speaker notes if you read it!Here are the slide from my #blackhat talk yesterday: https://t.co/pgoM7IolPn Please expand the speaker notes if you read it!— Ian Beer (@i41nbeer) August 9, 2018August 9, 2018
Calling out Apple, of course, is a great way to get headlines — including this one. But, ultimately, even the best security architecture and implementation can always be made better, and being challenged and challenging what you do is the best way to improve it.
Master your iPhone in minutes
iMore offers spot-on advice and guidance from our team of experts, with decades of Apple device experience to lean on. Learn more with iMore!
So, who's right here? Should Apple open up the bug program to Project Zero employees, and many others? Should Google employees already paid to find bugs not try to get bounties as well, even for charity? And, what about Beer's recommendations?
Rene Ritchie is one of the most respected Apple analysts in the business, reaching a combined audience of over 40 million readers a month. His YouTube channel, Vector, has over 90 thousand subscribers and 14 million views and his podcasts, including Debug, have been downloaded over 20 million times. He also regularly co-hosts MacBreak Weekly for the TWiT network and co-hosted CES Live! and Talk Mobile. Based in Montreal, Rene is a former director of product marketing, web developer, and graphic designer. He's authored several books and appeared on numerous television and radio segments to discuss Apple and the technology industry. When not working, he likes to cook, grapple, and spend time with his friends and family.