Not directly related, and I've said it before, but it's useful to see what ITW categories get exploited, use it to guesstimate profitability, level of complexity, and engineering work, and use it as a level-setting exercise for bug bounty payoutshttps://twitter.com/pwnallthethings/status/1416800505049845760 …
-
Show this thread
-
For reference, the SMS/browser chains here look likely to sit in the "one click with kernel execution including PAC bypass and no persistence" category, so probably at the $250k mark in the Apple Security program.
2 replies 6 retweets 42 likesShow this thread -
Replying to @pwnallthethings
A good illustration that exploits like this are well within the budget of Lesotho, let alone large state actors.
1 reply 0 retweets 4 likes -
Replying to @Pinboard
I don't think you'd find exploit chains like this at that price anywhere outside of some deluded fantasy of some Apple executives tho.
2 replies 1 retweet 7 likes -
Replying to @pwnallthethings
I don't mean that it's anything like the market price or cost of developing such a bug. But the fact that this somewhat arbitrary bounty for software able to compromise a device used by hundreds of millions is $250K and not $250M has significance
1 reply 0 retweets 4 likes -
Replying to @Pinboard @pwnallthethings
And it might not even qualify for
@Apple’s $250k bug bounty program given how Apple handles other bugs that clearly should qualifyhttps://medium.com/macoclock/apple-security-bounty-a-personal-experience-fe9a57a81943 …1 reply 0 retweets 1 like
If Apple fully automated its bug payout system, they would find a lot more bugs!
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.