undefined | Better HN

0 pointsabalone9y ago0 comments

That is Comcast's reasoning, not Apple's. As the article notes, it's the opposite problem: Apple's internal team is running out of vulns to find.

0 comments

mahyarm9y ago

Well this guy has a bunch of ideas on how they can improve ;) https://twitter.com/i0n1c

bpchaps9y ago

Problem is - that's such an easy thing to say, whether it's true or false. For a device that's owned by millions, it's pretty grandiose of them to think that their internal team is all it takes. There's so much an internal team can do, so having an outside "team" is significantly better - even if it's just for a different view from a different vantage point. So, good on apple for doing this, but I'm questioning their past decisions. In particular their poor use of "they ran out of things to find" is worth discussing. The way this article is worded, their stance sounds incredibly naive, where a, "We don't have the same breadth as the infosec research community, and we would like to work with them." response might have been more appropriate.

That's just my personal impression, though.

edit: autocorrect fix

abaloneOP9y ago

I think it's more like Apple is patient and waits to get things right. Bug bounty programs are relatively new (past few years). The article notes that Apple faced a more complicated landscape than your typical company, one where state actors are bidders. So they needed to craft a more targeted program.

hyperpape9y ago

This seems like a pretty generic reason that doesn't explain that much. Are state actors not bidders on gmail, android, facebook, firefox, chrome?

1 more reply

j / k navigate · click thread line to collapse