undefined | Better HN

0 pointsbjterry9y ago0 comments

I read that as: if you find a bug and report it, you may get invited into the formal bug bounty program (but may not get a payout on the first one).

No idea if that's right though.

0 comments

IBM9y ago

The Reuters report has some details about why they limited it:

>Apple said it decided to limit the scope of the program at the advice of other companies that have previously launched bounty programs.

Those companies said that if they were to do it again, they would start by inviting a small list of researchers to join, then gradually open it up over time, according to Apple.

Security analyst Rich Mogull said that limiting participation would save Apple from dealing with a deluge of "low-value" bug reports.

"Fully open programs can definitely take a lot of resources to manage," he said.

http://www.reuters.com/article/us-cyber-blackhat-apple-idUSK...

amenghra9y ago

True, but it's not like Apple doesn't have the resources to manage an open submission program.

IBM9y ago

They may have financial resources but I doubt their security engineers would want to deal with the deluge.

coldtea9y ago

It's not about throwing money or people at a problem, it's the overhead that lowers its efficiency and agility.

duaneb9y ago

Maybe they want to invest cautiously. Seems smart to me.

NEDM649y ago

Then it seems like a job to me, if it is, then they should pay a salary.

ghshephard9y ago

If it was a salaried job you would have to sign a Non-Disclosure, assign all intellectual property rights to Apple, ensure that you have good work attendance, be responsive to what your manager tells you to do, etc, etc...

I'm sure there are a lot of security researchers who would like to dabble in dozens of companies products, without being told what they had to do every day, yet still be compensated.

j / k navigate · click thread line to collapse

0 comments

IBM9y ago

The Reuters report has some details about why they limited it:

>Apple said it decided to limit the scope of the program at the advice of other companies that have previously launched bounty programs.

Those companies said that if they were to do it again, they would start by inviting a small list of researchers to join, then gradually open it up over time, according to Apple.

Security analyst Rich Mogull said that limiting participation would save Apple from dealing with a deluge of "low-value" bug reports.

"Fully open programs can definitely take a lot of resources to manage," he said.

http://www.reuters.com/article/us-cyber-blackhat-apple-idUSK...

amenghra9y ago

True, but it's not like Apple doesn't have the resources to manage an open submission program.

IBM9y ago

They may have financial resources but I doubt their security engineers would want to deal with the deluge.

coldtea9y ago

It's not about throwing money or people at a problem, it's the overhead that lowers its efficiency and agility.

duaneb9y ago

Maybe they want to invest cautiously. Seems smart to me.

NEDM649y ago

Then it seems like a job to me, if it is, then they should pay a salary.

ghshephard9y ago

I'm sure there are a lot of security researchers who would like to dabble in dozens of companies products, without being told what they had to do every day, yet still be compensated.

j / k navigate · click thread line to collapse