One of the best security researchers in the world publicly criticized Apple's bug-bounty program and challenged Apple CEO Tim Cook to donate $ 2.45 million to charity, the amount he said he should have received if he had been a part of the program .
"Hello @ tim_cook, I've been working for several years to make iOS safer. Here's a list of all the bugs I reported to qualify you for your bug bounty since launch, please invite me to the program so we can donate this money to @amnesty? "Ian Beer, a Google employee, tweeted during a conversation with Black Hat, a highly-profited security conference in Las Vegas.
At the end of his call, which was a technical look at iOS security, he raised criticism of Apple.
"I do not think Apple intended to use the bug-bounty program as a promotional tool, but of course they gave them good PR. These probably high prices are often quoted and, like the million dollar dissident, used as this comfort cover you can put yourself in, "he wrote in notes published along his slide show, which he tweeted on Thursday.
Beer is one of the world's most productive security researchers. He and the group he works for inside Google, Project Zero, often find bugs like Apple patches to make the software safer.
If you add all the prices for bugs found, double-click it as if Apple would match the money for charity, it would reach $ 2.45 million, wrote Beer.
Apple refused to comment.
Here's an example of two bugs of beer found and reported to Apple earlier this summer:
He has a day job
Bug bounties are payments that are usually intended for independent security researchers to encourage them to report bad bugs instead of developing them into exploits or selling them to the black market. Basically: Report what is called a "Nolldag", a previously undiscovered bug, and if it's correct you can get some money.
Apple's bug bounty program offers big payouts, just like those listed above, but unusual it's an invitation-only program. Apple launched it in 2016, after most other big tech companies previously launched their bug-bounty programs. Even if you found the greatest use of the iPhone software, you would not be paid by Apple if you did not participate in the program.
But beer draws a pay from Google as part of one of the world's strongest bug-hunting teams, which in itself is unusual.
Beer works for Google on its elite Project Zero team, which detects undiscovered software bugs – including those made by other companies, such as Apple, CloudFlare, or Microsoft. Responsibly connecting these bugs makes the team software safer for all.
But he also said he would like to be invited to Apple's bug-bounty program, which offers big payouts to report dangerous bugs to the company. In some way, he wants to be compensated by Apple for what he did as part of his day job on Google. (Google did not immediately leave an email about whether its security researcher may collect bug sum.)
Project bulletin has been controversial – after all, it tries to break other company software and when it succeeds, it forces the other company to fix it within 90 days. The origin of the program goes back to Google cofounder Sergey Brin's frustration that vulnerabilities from other companies can make Google less secure.
Apple's iPhone security is very tight and has a reputation in the security industry to be difficult to crack. But it is not crash-resistant – in 2016, the government of the UAE used a weaponed Nolagagger's exploitation against a human rights activist.
The high level of iPhone security means that sometimes researchers can make a lot more money selling zero days on the black market than collaborating with Apple. So it makes people like beer even more remarkable, given their productive ability to find iPhone errors.
It is unclear whether there was a specific reason for beer publicly complaining about how Apple handles vulnerabilities and disclosures. He said in the notes next to his chat that it was because Apple makes a "bad job to fix" the bugs he reports. But Apple's discretion means it's unlikely that Cook or Apple will respond warmly to its proposal, either publicly or privately.