Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I found 75k for such a severe security issue a low figure, on apple security bounty page the max pay for such exploit is 500k. https://developer.apple.com/security-bounty/


It’s a bug in Safari, not in the webcam so that may be why?


That could be, but it’s still far too low.

I imagine that a Black Mirror type of scandal involving this exploit could do many millions if not billions in damage to Apple’s finances. Not to mention what such an exploit might fetch on the black market.


I firmly believe that a government intelligence operation would be willing to pay far more than 75k for this.


Bug bounty payouts are not meant to match what you can get on the black market.


That seems like a major flaw in bug bounties then. What else could they be competing with?


There's more to the black market than just money: you often need to deal with unscrupulous individuals (possibly a couple of levels removed) and risk going to jail. The bounty incentivizes researchers to research and disclose, not disincentive people who were going to sell them anyways (who will pay whatever it costs to get these anyways).


The black market responds to the legal markets. Unless you think that these companies can ultimately win a bidding war against black market actors, trying too desperately to win over the black hats will just enrich them further.


I disagree, they’re designed to incentivize people not to sell such secrets on the black market. If this wasn’t true, these programs wouldn’t exist.

They’ve just gotten used to banking on people taking much less than black market value in order to avoid legal complications.


They're designed to disincentivize moral people from selling such secrets on the black market, and show that companies care about fixing bugs. Authoritarian governments will always be more than willing to offer large sums of money for such exploits.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: