One of the best security researchers in the world criticized Apple's bug-bounty program and challenged Apple's CEO Tim Cook to donate $ 2.45 million to charity. He said he should have received had he been part of the program.
"Hello @ tim_cook, I've been working for years to make iOS more secure. Here's a list of all the mistakes I reported as eligible for your bug bounty since launch, please invite me to the program so we can donate The money for @amnesty? "Ian Beer, a Google employee, tweeted during a chat at Black Hat, a high-profile security conference in Las Vegas.
At the end of his conversation, which was a technical look at iOS security, he fought into criticism by Apple.
"I do not think Apple is going to use the bug-bounty program as a promotional tool, but obviously it gives them a lot of good PR, these apparently high prices are often quoted, and as a million dollar dissident, used as this comfort you can pack yourself in, "he wrote in notes that were published along the slide cover, which he tweeted on Thursday.
Beer is one of the most productive security researchers in the world. He and the group he works for in Google, Project Zero, often finds errors that Apple updates to make the software more secure.
If you set up all the bugs prices he found, double it as if Apple were to match the money for charity, it would come to $ 2.45 million, wrote Beer.
Apple refused to comment.
Here's an example of two mistakes Bees found and reported to Apple earlier this summer:
He has a day job
Buggjeld is payments that are usually meant for independent security researchers to stimulate They should report bad mistakes instead of developing them into exploitations or selling them into the black market. Basically: Report what is called a "zero day", a previously undetected error, and if it's real, you can get some money.
Apple's bug-bounty program offers big payouts, like those mentioned above, but unusual is an invitation program. Apple launched it in 2016, after most other big tech companies had previously launched their bug-bounty programs. Even if you found the greatest utilization in iPhone software, you would not be paid by Apple unless you were part of the program.
But Beer draws a pay from Google as part of one of the strongest bug-hunting teams in the world, which in itself is unusual.
Beer works for Google on its elite Project Zero team, which finds undetected software errors – even those made by other companies, like Apple, or CloudFlare, or Microsoft. By pushing these errors properly, the team makes the software safer for everyone.
But he also said he would be invited to Apple's bug-bounty program, which provides huge payouts to report dangerous bugs to the company. In some ways, he will be compensated by Apple for what he has done as part of his day job on Google. (Google did not immediately return an email about whether its security researchers are allowed to collect the error amount.)
Project wage has been controversial – after all, what it's doing is trying to break other companies' software and, when it succeeds, forces The other company to fix it within 90 days. The origin of the program goes back to Google cofounder Sergey Brin's frustration that vulnerabilities from other companies can make Google less secure.
Apple's iPhone security is very tight and has a reputation in the security industry to be difficult to crack. But it's not bulletproof – in 2016, the UAE government used a weapon-based zero-day exploitation against a human rights activist.
The high level of iPhone security means that sometimes researchers can earn a lot more money selling zero days on the black market than collaborating with Apple. So it makes people like beer even more remarkable, given their productive ability to find iPhone bugs.
It is unclear whether there was a particular reason that beer became public with its complaints about how Apple handles vulnerabilities and disclosures. He said in the notes next to the conversation that it was because Apple does a "bad job fixing" the bugs he reports. But Apple's acquisition means it's unlikely that Cook or Apple will respond warmly to their proposal, either publicly or privately.