1(630)802-8605 Ravi.das@bn-inc.net

Apple has just announced the release of three new models of their iPhone:

*The iPhone XR;

*The iPhone XS;

*The iPhone XS Max.

The prices for all of these above mentioned models starts at a whopping $800 on up, depending upon the model that you purchase and any other add on’s you might choose.  More details about these new models can be seen at Apple’s website here:

https://www.apple.com/iphone/

You can do a simple Google search to read the reviews on these new models, but here is one that comes to the top of the list:

https://www.techradar.com/reviews/iphone-xs

Apple traditionally has been very tight lipped as to the Security features it implements into the iPhone.  I am not a Smartphone expert, but from what I have read, the iOS is probably of the more robust and secure OS’s that can be used on a wireless device.

For example, the company has made it very difficult to reverse engineer functionalities, or even jailbreak your device.

The latter refers to the fact of gaining access to admin privileges of the iOS with any means that you have at your disposal.  Very often, if this is discovered, you completely void out the warranty on your device, and Apple even puts you on black list as well.

Apple has even prided itself by not seeking outside help to secure its software and hardware.  But, that it is just only until recently.  The company has announced back in 2016  new “Bug Bounty” program inviting hackers of all sorts and kinds (yes, even the illegal ones) to break into its systems and report any unknown vulnerabilities back to them.  But with the release of these new models, Apple stepped up the ante with this program.

Apple has had a slow start with this so far, even offering rewards of up to $200,000.  But, this trend is now slowly starting to shift a little bit, and now there are some Cyber security firms that have started to get some of their bread and butter by hacking into the iOS.  This includes the likes of both Graysmith and Azimuth, both startups.

For some reason or another, there are other Cyber security firms out there do not participate in the Bug Bounty program as they continue to research flaws into the iOS.  In fact, many of them do not even report their findings back to Apple, so that they can crack the source code even further.  Heck, if it was me, I would report the vulnerabilities and take the cash!

Not of surprise though, Apple has been also very closed as to how it approaches its Bug Bounty program, and has kept very secret the money it has paid out to hackers and Cyber security firms.

Even those hackers whom have received a payout from Apple remain closed mouth about the vulnerabilities that they have discovered and the amount of cash they have received.

They are simply afraid of losing this lucrative relationship with Apple if any details are released to the public.  In some cases, there are also others whom have reported bugs, and have been promised payment, but nothing has been received yet in their bank accounts.

Some are even waiting as long as since last year to get their payout.

As a result of this, there are many hackers out there who do not wish to participate even after Apple has invited them individually to contribute to the cause. The main reason for this appears to be the very slow payment cycle with Apple.

In some cases, because Apple does not release to the public the bugs that have been discovered, there have been duplicate entries submitted.

For example, if Hacker X has discovered a flaw and has reported back to Apple, and if no payment has been made, the case is not yet officially closed out.  Thus, the same vulnerability in theory still exists, and another hacker, say Hacker Y, could months later on the down road discover the same flaw and get paid for it.

My thoughts on this?

Just from what I have read and written thus far, it appears that this Bug Bounty program launched by Apple appears to be a flawed one.  For example, they seem to be rather slow in getting back to participants, especially with the payouts.

My view is that if a hacker has discovered a bug, and has submitted the appropriate documentation via the right channels, then he or she should be immediately paid for it.

This should happen of course, after the bug has been confirmed.  I also think that Apple should make it a policy to double or even triple the amount of the payout if the hacker comes up with right remedy to fix the bug.

This is a win-win situation for all parties involved, because not only does it keep the hacker motivated, but it also alleviates the time it takes Apple to find those resolutions.

Thus, this means that Apple can spend more time on research and development of the iOS, and making it better, of course.

The concept of a Bug Bounty program is not a new one, and there are many other tech giants that offer this, like Microsoft, which offers payouts even more than that of Apple.  In my view, this is a great way to fill the current worker shortage in the Cyber security industry.  There is a lot of skill and talent out there, but companies have to be able to reward those individuals quickly as well.

Finally, here can see the formal announcement of Apple’s Bug Bounty program at thus link:

https://www.forbes.com/sites/thomasbrewster/2016/09/28/apple-iphone-hacker-meet-cupertino/#2668bcf3473d