[coldcode]

If someone were to use NSO paid hacking to attack Apple executives's devices and then release everything they found, I bet Apple might take this more seriously instead of having some PR flack write marketing copy. Same is true of any tech company: until it hurts them specifically they can just ignore it or make it sound innocuous. Maybe Amazon has been targeted and they found out.

If someone were to use it against US government entities, maybe the NSA/CIA/etc might decide enough is enough, no matter what country they are in. So far at least publicly it seems like a non-event. But once the phone numbers are identified from that leaked list, things might become more serious for NSO.

People used to fight real wars against adversaries who targeted their country in some way, why should commercial entities supporting such attacks not be treated the same, except via non military action? Spying has always been done, but it can lead to serious consequences.

[fjtktkgnfnr]

> If someone were to use NSO paid hacking to attack Apple executives's devices and then release everything they found, I bet Apple might take this more seriously instead of having some PR flack write marketing copy.

That's not why Apple is skittish about this. Any action from them would invite the question "What about China?". And Apple loves China('s money).

[JumpCrisscross]

> Apple might take this more seriously instead of having some PR flack write marketing copy

What are they supposed to do?

[kilroy123]

Take security a lot more serious than they currently do. They've had some seriously embarrassing security holes in their software the last few years.

Also, they could increase the payout for their bug bounty. Why report to apple for a 0-day when you can make $1 million from these guys? It's not like Apple doesn't have the cash.

[adventured]

> Take security a lot more serious than they currently do.

That statement doesn't mean much. How do you know they're not taking it seriously enough and still struggling with the enormity of the problem regardless? You could always claim any entity isn't taking security serious enough.

The alternative explanation makes a lot more sense: security is extremely difficult at Apple's scale, serving a billion consumers with complex and essentially always-connected electronic devices (not to mention their huge services business now). Devices that also happen to be one of the single most important attack points that there is.

[ramraj07]

Then why not increase the bounty? What are they possibly going to loose? What’s a few million for a company that makes hundreds of billions a quarter?

If you’re gonna say there will be a flood of zero days that the cost will add up that also doesn’t support their security seriousness.

[badkitty99]

They could attempt to slow down the ad-ridden stupidity train they have everyone riding on, believing there is no such thing as iphone security tools besides the steaming iOs UpDaTeS

[tptacek]

Apple takes security more seriously than almost any other vendor in the entire world. It's in a small club of vendors that operates at the literal frontier of what computer science knows about building security into commercial products. No reasonable argument about what Apple can do start from the premise that they don't take the problem seriously.

They aren't above criticism. They do some things well that Google doesn't do as well, and vice versa; it would be good if everyone could level up to highest standards set by any in the club. It's totally fine to point these things out.

As for the bounty payout thing, I highly recommend you track down a talk from someone that has run a vulnerability/exploit market; there are a couple. The economics of selling vulnerabilities to the grey market are nowhere nearly as simple as they appear in ordinary message board threads. In particular: Apple offers a fixed, lump sum payment, where every market I'm aware of offers tranched payments that end when a vulnerability is burned.