I submitted a few macOS reports to the program, but Apple just sat on them forever, sometimes years, until I got frustrated enough to just publicly disclose the bugs. Needless to say, Apple never paid me a dime. For that reason, I don't actively look for macOS bugs anymore, and if I happen to find anything by accident, I'll just 0day.
I think that demanding full exploit chains is an excuse to ignore bugs and to discourage researchers from reporting them. What if a full exploit chain exists, but the links of the chain are known by different researchers? The researchers are incentivized to withhold bug reports without the full chain, and meanwhile an attacker who happens to have the full chain won't withhold their attack. Apple is practically making the black market for bugs more valuable.
It's basically the same as Apple demanding a sysdiagnose before they'll even look at a non-security bug report. Typo in the developer documentation? Please attach a sysdiagnose! It's ridiculous.
People can be evil or good.
Individual chains of course are still eligible for rewards:
> Individual chain components or multiple components that cannot be linked together will remain eligible for rewards, though these are proportionally smaller to match their relative impact.
Edit:
I think those that build a full chain and attempt to sell to the regular posse would rather just take the bug bounty from Apple. There's little information about the 0day market for chains but from what I've seen it is you need to provide long term support and hoard alternative methods when different parts get discovered or break down. With MIE and other mitigations and vigilant scanning of devices, there's more chance exploits and techniques are discovered, patched, and you as VR/ED will only get a small fraction of the contract (like say $8m over a couple of years). (Someone from the 0day industry feel free to correct me.)
nwellnhof•4mo ago
lapcat•4mo ago
agos•4mo ago
lapcat•4mo ago
nwellnhof•4mo ago
> We want those researchers to have an encouraging experience — so in addition to CVE assignment and researcher credit as before, we will now also reward such reports with a $1,000 award.