Infosec researchers say Apple’s bug-bounty program needs work

1 month ago 24
Cartoon worm successful  a cartoon apple.

Enlarge / If you don't support bully relationships with bug reporters, you whitethorn not get to power the disclosure timeline. (credit: mhatzapa via Getty Images / Jim Salter)

The Washington Post reported earlier contiguous that Apple's narration with third-party information researchers could usage immoderate further good tuning. Specifically, Apple's "bug bounty" program—a mode companies promote ethical information researchers to find and responsibly disclose information problems with its products—appears little researcher-friendly and slower to wage than the manufacture standard.

The Post says it interviewed much than 2 twelve information researchers who contrasted Apple's bug bounty programme with akin programs astatine competitors including Facebook, Microsoft, and Google. Those researchers allege superior connection issues and a wide deficiency of spot betwixt Apple and the infosec assemblage its bounties are expected to beryllium enticing—"a bug bounty programme wherever the location ever wins," according to Luta Security CEO Katie Moussouris.

Poor connection and unpaid bounties

Software technologist Tian Zhang appears to beryllium a cleanable illustration of Moussouris' anecdote. In 2017, Zhang reported a large information flaw successful HomeKit, Apple's location automation platform. Essentially, the flaw allowed anyone with an Apple Watch to take over immoderate HomeKit-managed accessories physically adjacent them—including astute locks, arsenic good arsenic information cameras and lights.

Read 13 remaining paragraphs | Comments

Read Entire Article