[matthewaveryusa]

Also, all you need is one insider kernel developer to get all the source code anyways. I always find these kinds of initiatives silly -- A lot of companies think that an insider is a side-channel attack when really it's the main vector.

[StillBored]

Yah, I've had this discussion numerous times. Especially with regard to hiring people from a competitor. Often you wonder how much information is traveling via unintentional side channels (not just employees that are also on the payroll of a 3 letter agency).

OTOH, there does seem to be a fair amount of competence where it matters though. In the couple companies I worked for the private keys used for signing things were very quietly kept hidden from the vast majority of the engineering teams/etc. AKA, it was possible to create an development/test builds all day long, but creating valid license keys/firmware updates/etc for the builds given to customers was limited to a formal process which contained the keys. The private keys were only available to a couple people tasked with maintaining the automation from which the builds/keys/etc came from. Those people rarely had a need to move/etc them either, and such activities were done in the open.

[panic]

Also, all you need is one insider kernel developer to get all the source code anyways.

You mean this source code? http://opensource.apple.com/source/xnu/

[jevinskie]

That is, unfortunately, by no means "all the source code" of the kernel-level code that is running on your Mac, iPhone, iPad, iPod, Apple TV, or Apple Watch.

[iofj]

Also, given enough money available, why ask people to build vulnerabilities in ? Does anyone seriously think Apple's (or anyone's) kernel team doesn't have a single guy/girl that made at least one mistake ?

[duaneb]

Of course there are bugs, but they are hugely expensive to find.

[mtgx]

And Apple, as well as Microsoft, Intel, and other companies have already voluntarily agreed to give the NSA and other agencies "early notice" of a vulnerability which can be exploited by the time it's fixed anyway. CISA also pretty much mandated it into law as well.