This is crazy. At this point it's pretty well established that Apple isn't really going to pay you much if at all. Might as well disclose in 90 days at this point.
This is a part of our industry I do not follow beyond headlines. A lot of those headlines are about hackers trying to be responsible getting screwed out of supposed bounties that to my mind already appear quite small. Also responsible companies doing very little to quickly close them. Does anyone have any insight into how the market for vulnerabilities operates? Is there is a significant disparity in price between official/responsible disclosures and private sales?
So most public companies don't even run bug bounties. The ones that do may or may not acknowledge your disclosure, and they decide what your vulnerabilities are worth regardless of any scales they might post on a blog. So in a best case scenario, you get maybe 10-100k for a world ending RCE + escalation but most of the time you get no response or <1k. On the gray market, though, something like that will easily sell for over 100k, sometimes several million. Generally it's frowned upon in academic circles, but there are a handful of large brokers like zerodium who are happy to pay out for interesting bugs.
As someone that actively works in the security industry and has spent quite a bit of time tracking this... Yes, there is a massive disconnect in pricing for private acquisitions of vulnerabilities in commonly used software.
Almost always it's between a 2-5 magnitude order of difference in price between a bug bounty and what a company like Zerodium pays. When they have a valuable enough customer asking for something specific they'll even give bonus rates between 2x-10x above their normal rates.
Oh sure, Zerodium pays (over time, as long as bug is unpatched), if you don't care how your exploits are used (will it be used to target middle east journalists or jeopardize our democracies by watching over elected representatives? who knows.); sure, they vet their customers, and the customers swear they won't do anything bad with it.
Note: not sure they would pay for these private information leaks. They'd probably prefer a local escalation and then do the data collection themselves.
Holy fuck what kind of turds are these? Their "temporary" bounty boost listing includes specifically Moodle.
That's an application that will be used by minors to a large extent, meaning they're literally leaving kids the world around unsafe.
How any of this can be legal is beyond me.
Btw they're also targeting pidgin, I'm imagining this might be related to OTR sessions over tor...?
Edit: remembered moodle is used by universities as well, so not overwhelminly but still....
Edit 2: IMHO working or having worked for one of these companies should be a career ending move. Simply not acceptable to be working in this field anymore. Not by legal means of course, but as an industry we should simply consider people who were willing to sign a contract with these criminals to be unemployable. "Sorry we don't do business with turds."
>as an industry we should simply consider people who were willing to sign a contract with these criminals to be unemployable.
By that same logic we coul include mass ad/surveillance companies like Google and Facebook to the list. IMHO those do way more damage to society as a whole. Where do we draw the line?
The fact that drawing any specific line is always wrong to an extent, and that it is difficult, is not a good argument against drawing a line at all.
We have tons of jobs you're even legally not allowed to do, no matter how profitable. We're literally talking about people who deal in vulnerabilities in software used by minors, with the express intent of keeping these open.
In my book, that is beyond the line. Change my mind.
