A well-known security researcher reports that Apple has slashed its bounties for finding vulnerabilities in macOS. Many have been halved, with one of them reduced from over $30k to just $5k, despite a growing problem with Mac malware.
Csaba Fitzl, principal macOS security researcher at Iru, says it suggests Apple doesn’t really care about the Mac, and increases the likelihood that vulnerabilities will be sold on the black market instead of reported to the company …
Apple security bounties slashed
Fitzl posted examples of the new rates on LinkedIn.
Full TCC (privacy) bypasses are down from 30.5k to 5k. Hard to interpret this in a good way. It feels like: We (Apple) admit we can’t fix this shit and we don’t care anymore
or at least not willing to pay for it We don’t care about privacy Individual TCC categories are also down from 5-10k to 1k. This feels really weird especially because Apple’s mantra is privacy… macOS sandbox escapes are also down to 5k from 10k.
We verified that the rates he cited are accurate.
Transparency, Consent, and Control (TCC)
TCC refers to Apple’s Transparency, Consent, and Control framework. These are the mechanisms ensuring that apps can only access sensitive personal data if they have explicit user permission. A full TCC bypass would allow an app to gain access to a Mac user’s private information without consent.
Among other things, TCC protects access to:
... continue reading