Yes another example of how Apple is earning bad karma by the day. This guy should not have released the exploit to Apple, and he should not even have mentioned that he was aware of the exploit. And just raised the issue of a Bug Bounty as a hypothetical scenario with Apple.
Apple is clearly going in a direction that will make many of their loyal customers and fans unhappy with them. They did something similar in 1986-97, and haven't learned anything from that experience.
From what little information is provided in this article it sure sounds like a breakdown of communication on both sides, but primarily instigated by the discoverer of the bug. It sounds like this person was silently protesting the lack of a bounty program by refusing to work openly and honestly with Apple and connecting to the people on Apple's side who needed to hear the whole story. You know what, if you start treating other people in a courteous and respectful manner and connecting on a human level you'd be amazed at how positive an outcome can be achieved. If we were still operating in the days of armed duels every dispute today would start off with one party shooting the other one in the leg and then stating "now let's talk about our dispute." I don't know why people have become such total shits about everything, but it's getting us nowhere and only making matters worse fo everyone. There's a time when you need to put your ego aside, quit jumping to conclusions, and simply talk to other people, and connecting like normal human beings need to do. We're living in a society that has unparalleled communication capabilities compared to any society that has ever existed. Everyone is communicating, but nobody is connecting at a human level. It's just one-way broadcast spew, mouthing off, digging in on indefensible positions, seeking to capitalize financially, and making everything about oneself. This has got to stop.
I am curious though: why doesn't Apple have a bug bounty program for MacOS? Do they believe such programs aren't effective (then why have one for iOS)? It's just odd that Apple is silent on this topic. Are their people at Apple who are advocating for such a program, but they get shot down? Or are the people inside the Ring convinced that Apple's approach is the right one (but don't bother explaining why)?
People generally can't be held liable (e.g., through a civil action) for (negligent) omissions which lead to harm suffered by others. But there are exceptions to that general rule.
I don't know all the details of this situation, and he's in Germany so applicable principles might be very different, but I wouldn't rule out the possibility that he could face civil liability if he didn't take reasonable action (e.g. revealing details of the exploit to Apple) to mitigate the risk of harm to others. Again, the general rule would protect him from such liability. But I can think of exceptions which could possibly apply in this case. So it's possible - though I don't mean to suggest likely, I just don't know enough to make such an assessment - that he's now been made aware that he could face civil liability if he doesn't disclose the details of the exploit to Apple and, as a result of Apple not being able to address the problem as quickly, third parties are harmed.
What?
I'm saying that, if certain circumstances are present, Mr. Henze could possibly be held civilly liable if his failure to disclose the details of the exploit lead to third parties being harmed - i.e., if the exploit was used on them because Apple wasn't able to fix the bug as quickly. I'm also saying it's possible that's why he disclosed the details to Apple. Apple, or legal counsel he sought, may have made him aware of that possibility.
There are exceptions to the general rule that people aren't liable for harm experienced by third parties as a result of their omissions - i.e., their failures to do something.
I'm glad Linus decided to do the right thing. I concur with him that Apple should have a macOS bug-bounty program like the one that exists for iOS. But I disagreed that he had the right to try and blackmail one into existence -- Apple had zero reason to believe his claim without details or proof-of-concept, neither of which he provided.
The sensible thing to do would be to band together with other security researchers and petition for such a program, not try low-level extortion as a first approach. Apple was absolutely right to respond but ignore the demands.
Yeah, he was wrong to go about it the way he did. He put Apple in a position where it really couldn't respond positively. If he wanted to draw attention to the situation or put pressure on Apple he should have, e.g., provided the details of the exploit to Apple while publicly announcing that he had done so and making the case that Apple should have an OS X bounty program to encourage such good behavior in the future (and by others).
What he did makes it seem like he was trying to get attention (or a bounty in this case) for himself, rather than trying to get Apple to implement a bounty program. If his motivation had been the latter, then his actions were likely counterproductive. He should have understood that, though perhaps he didn't. He's young so he might not have appreciated that going about it the way he did made it less likely that Apple would respond the way he wanted (to his particular situation).
That said, I'm not sure what to think about bug bounty programs. There are certainly good reasons for them. But at the same time, I can think of reasons not to have them. For one thing, they encourage people to devote resources (or time) to looking for potentially problematic exploits. If those exploits are found, it's of course better for companies like Apple to know about them. But once they are found, some might choose not to disclose them in favor of nefarious purposes.
My quick take is that such programs should provide bounties at the discretion of the companies offering them. I mean, the companies involved should be able to look at a given disclosed bug and decide whether or not it's worthy of a bounty and how much the bounty should be. Those deciding to look for bugs in hopes of getting a bounty can judge a company's past practices and decide whether that company's been fair, and act accordingly.
I'm glad Linus decided to do the right thing. I concur with him that Apple should have a macOS bug-bounty program like the one that exists for iOS. But I disagreed that he had the right to try and blackmail one into existence -- Apple had zero reason to believe his claim without details or proof-of-concept, neither of which he provided.
The sensible thing to do would be to band together with other security researchers and petition for such a program, not try low-level extortion as a first approach. Apple was absolutely right to respond but ignore the demands.
Yeah, he was wrong to go about it the way he did... That said, I'm not sure what to think about bug bounty programs. There are certainly good reasons for them. But at the same time, I can think of reasons not to have them... My quick take is that such programs should provide bounties at the discretion of the companies offering them. I mean, the companies involved should be able to look at a given disclosed bug and decide whether or not it's worthy of a bounty and how much the bounty should be. Those deciding to look for bugs in hopes of getting a bounty can judge a company's past practices and decide whether that company's been fair, and act accordingly.
Don't other company's bounty programs work just like that? They don't automatically pay out for every reported "bug", nor rate those they accept as all having equal value.
I've no idea why you think that ignoring a problem means no harm no foul, which is essentially what you've stated with claiming it as a negative when researchers are encouraged to look for exploits in their software. You really think they aren't looking for exploits anyway, just as this kid did? To get reimbursed (paid) for their work they just might look to a source other than Apple if they aren't going to be showing appreciation. Is that really your position? Sounds very anti-Apple.
I'm glad Linus decided to do the right thing. I concur with him that Apple should have a macOS bug-bounty program like the one that exists for iOS. But I disagreed that he had the right to try and blackmail one into existence -- Apple had zero reason to believe his claim without details or proof-of-concept, neither of which he provided.
The sensible thing to do would be to band together with other security researchers and petition for such a program, not try low-level extortion as a first approach. Apple was absolutely right to respond but ignore the demands.
Yeah, he was wrong to go about it the way he did... That said, I'm not sure what to think about bug bounty programs. There are certainly good reasons for them. But at the same time, I can think of reasons not to have them... My quick take is that such programs should provide bounties at the discretion of the companies offering them. I mean, the companies involved should be able to look at a given disclosed bug and decide whether or not it's worthy of a bounty and how much the bounty should be. Those deciding to look for bugs in hopes of getting a bounty can judge a company's past practices and decide whether that company's been fair, and act accordingly.
Don't other company's bounty programs work just like that? They don't automatically pay out for every reported "bug", nor rate those they accept as all having equal value.
I've no idea why you think that ignoring a problem means no harm no foul, which is essentially what you've stated with claiming it as a negative when researchers are encouraged to look for exploits in their software. You really think they aren't looking for exploits anyway, just as this kid did? To get reimbursed (paid) for their work they just might look to a source other than Apple if they aren't going to be showing appreciation. Is that really your position? Sounds very anti-Apple.
I'm not sure how other bounty programs work, I haven't investigated them. I suggested how I think they should work, without regard to how they do or could.
And I'm not suggesting that ignoring a problem is a good thing, or no harm no foul. That is not essentially what I stated. I said I can think of reasons not to have them, not that those reasons outweigh the reasons to have them. Of course people look for bugs (or exploits) anyway. But providing more (legal) ways to benefit financially from finding them encourages more attempts to find them. And, while that can be desirable, it can also be problematic.
Comments
Apple is clearly going in a direction that will make many of their loyal customers and fans unhappy with them. They did something similar in 1986-97, and haven't learned anything from that experience.
The term for it is hubris.
There are exceptions to the general rule that people aren't liable for harm experienced by third parties as a result of their omissions - i.e., their failures to do something.
What he did makes it seem like he was trying to get attention (or a bounty in this case) for himself, rather than trying to get Apple to implement a bounty program. If his motivation had been the latter, then his actions were likely counterproductive. He should have understood that, though perhaps he didn't. He's young so he might not have appreciated that going about it the way he did made it less likely that Apple would respond the way he wanted (to his particular situation).
That said, I'm not sure what to think about bug bounty programs. There are certainly good reasons for them. But at the same time, I can think of reasons not to have them. For one thing, they encourage people to devote resources (or time) to looking for potentially problematic exploits. If those exploits are found, it's of course better for companies like Apple to know about them. But once they are found, some might choose not to disclose them in favor of nefarious purposes.
My quick take is that such programs should provide bounties at the discretion of the companies offering them. I mean, the companies involved should be able to look at a given disclosed bug and decide whether or not it's worthy of a bounty and how much the bounty should be. Those deciding to look for bugs in hopes of getting a bounty can judge a company's past practices and decide whether that company's been fair, and act accordingly.
https://www.microsoft.com/en-us/msrc/faqs-bounty
https://www.google.com/about/appsecurity/reward-program/
https://www.forbes.com/sites/davidsilver/2018/08/05/general-motors-doubles-down-on-bug-bounty-cybersecurity-effort/#5479282cbf33
https://hackerone.com/googleplay
https://www.digitaltrends.com/computing/teen-bug-bounty-google/
I've no idea why you think that ignoring a problem means no harm no foul, which is essentially what you've stated with claiming it as a negative when researchers are encouraged to look for exploits in their software. You really think they aren't looking for exploits anyway, just as this kid did? To get reimbursed (paid) for their work they just might look to a source other than Apple if they aren't going to be showing appreciation. Is that really your position? Sounds very anti-Apple.
And I'm not suggesting that ignoring a problem is a good thing, or no harm no foul. That is not essentially what I stated. I said I can think of reasons not to have them, not that those reasons outweigh the reasons to have them. Of course people look for bugs (or exploits) anyway. But providing more (legal) ways to benefit financially from finding them encourages more attempts to find them. And, while that can be desirable, it can also be problematic.