I think that there's a point where negligence becomes culpable. Given that, I'm considering 2 questions:
1) Suppose Apple sells potentially vulnerable software to users and knowingly refuses to curb market demand for potential exploits to the benefit of their bottom line. When a zero-day is discovered and sold to the highest bidder, what percentage of the blame does Apple deserve?
2) How does that percentage change with respect to the following?
(a) potential number of users affected
(b) cost of a bounty program as a percentage of total profit from sale of the vulnerable software
He doesn’t have to do it, but not worth his time? Sending his code to product-security@apple.com in whatever state it is shouldn’t take him more than 10 minutes.
And yes, he may have spent millions in hours to find this issue, but that’s a sunk cost now.
Granting a license to software that a company has invested millions of dollars in takes less than 10 minutes as well, but that doesn't mean they are obligated to give it to anyone who might find it useful for free. Sunk cost is an orthogonal issue.
It's reasonable to expect compensation for your work. Caveat that they don't sell it to someone who will exploit it.
Building or acquiring something of value in the hopes of profiting from it later is a fundamental part of life. It is why we go to school, invest in machinery, develop products, do research, etc.
It's definitely not worth his time if Apple isn't going to pony up a bounty, especially if he could recoup his sunk costs easily by selling the exploit to a security research / defense contractor.
Because someone at Apple decided to concentrate on the iPhone only. Their behavior towards the general computing line has been quite consistent in the last years, and I doubt it will ever change.
When there's no bounty program, or the bounty program is unreliably administrated, people have a right to sell their research to the highest bidder, whomever that may be.
People deserve to be compensated for their work, however, to suggest selling it to the highest bidder is completely unethical. If you undertake work without a prior agreement to be paid for it, you can't go and hold the security of the userbase hostage in demanding payment.
selling it to the highest bidder is completely unethical
Whilst I don't disagree with the sentiment, "ethics" doesn't appear to have been any kind of motivator for business in general, ever. Look around you. How much of our goods and services have been produced by people working for a wage that is far below even the "living wage" threshold? What kind of life do these people live? What is their standard of living? How many of these products inflict extreme damage on the environment in some form, either directly or indirectly through the fossil fuels used and CO2 released in their production?
I strongly feel that "ethics" should become an overriding factor in where we are going as a species. But I don't agree that the place to start crying about ethics is some guy that finds problems in the product of a company with an insanely large cash reserve who's current "financial woes" are measured in "we are making a few billion dollars profit per quarter less then expected"
Apple can cry me a fucking river. It is on them to produce quality and secure products, instead of trying to squeeze every last cent of "cost reduction" out of every last element of their supply chain to the detriment of their user base. It isn't like they sell budget products, in almost all cases, Apple are the most expensive option for getting anything done.
Bug bounty programs are nothing new, and can be an effective avenue to increase the security and reliability of your products. It isn't like this guy is asking for anything outlandish, and he doesn't owe anything to anyone.
One can reasonably argue that if Apple has a bounty program and therefore finds information about critical security vulnerabilities in their products valuable, that one should prefer to sell information about such to them.
However the situation is that they do not and thus the absolute economic fact is that Apple considers such information utterly without value. Given these there are no obligations upon hard working security researchers and they are free to sell to someone who does find such information at the least trivially valuable. In fact it would be utterly unethical to do otherwise. A man is worthy of compensation for his labor provided that labor has value. If one party finds his labor of no value that is not a problem. If some other party, such as the NSA, finds it valuable then they have the right to sell it.
Obviously there are (unethical and disingenuous) trolls who will bring up scenarios where things are illegal. We are not considering those. Implicit is that this is an economic transaction. Which can consider ethics, such as the right to be paid for valuable labor. But does not extend to the right to commit crimes. The constraint here, obvious, is that we are discussing legal commercial transactions for legally performed work.
They decided to spend time on finding a bug knowingly that there is no bug bounty program for OSX, this is essentially blackmail.
The other possibility is that this bug is so trivial e.g. the press enter a lot bug that you can hardly argue that a reward is warranted for their effort.
If pressing enter a lot is such a trivial way of activating a bug, why wasn't it already found by Apple?
I would hope that Apple employs dozens of people at $100K or more a year to find bugs in macOS. Why wouldn't they pay comparable amounts to incentivize others to find bugs?
Failure to do so is a significant indication of their priorities.
I didn’t said they shouldn’t pay estimating the effort for finding a vuln is a silly practice, however if it was trivial to find and essentially being stumbled upon you can’t say they must pay for your effort because there was no real effort involved.
And I would bet that Apple pays its security engineers well above 100K.
It is more akin to holding a user base hostage; if I were a company with a bug bounty program I would permanently ban Linus Henze from participating. This is highly unprofessional behavior.
You do not really think that? At least ethically speaking that sure can't be. Then I also suspect you would be frown upon for selling exploits to North Korea or Iran buyers for instance.
At no point did anyone advocate engaging in illegal criminal acts such as you are here blatantly advocating. It's very offensive to take a discussion of fair pay for honest work and try to twist it into a scenario of engaging in overtly criminal acts when that was never the case. You should be ashamed for even attempting such an unethical propaganda maneuver.
Everyone has a right to be paid for their work provided that work is valuable to others and is not criminal. For independent contractors and free agents they have an intrinsic and fundamental right to sell their work to the highest bidder in a legal manner. To suggest otherwise is completely unethical, depraved, and inhuman.
> people have a right to sell their research to the highest bidder, whomever that may be.
> whomever that may be.
I think most readers, myself included, read that additional qualifier on "highest bidder" to mean "even if such a bidder is unexpected or unscrupulous". If you meant "unless selling to such a bidder were illegal", then you should have said that. Your words were not only very different from that, but they specifically cover the case you claim not to be endorsing.
To say nothing of the fact that if you're informed enough to have a discussion on the sale of 0 days, it can be assumed you know the market is full of bad actors and state actors, so even if nobody mentioned it upfront, it's a topic that's on the table from the outset, IMO. It's not uncouth to bring up illegal behavior when it's a routine part of what's being discussed. I think it's a bit much that you attack that person's character for making what seems like a pretty sane reading of your post. Especially when it seems the person you're yelling at was right – the thing you said is not the thing you really think.
1) Suppose Apple sells potentially vulnerable software to users and knowingly refuses to curb market demand for potential exploits to the benefit of their bottom line. When a zero-day is discovered and sold to the highest bidder, what percentage of the blame does Apple deserve?
2) How does that percentage change with respect to the following? (a) potential number of users affected (b) cost of a bounty program as a percentage of total profit from sale of the vulnerable software