Connect with us

Social

Apple opens public bug bounty program, publishes official rules

Published

on


Image: Laurenz Heymann

Apple has formally opened its bug bounty program today to all security researchers, after announcing the move earlier this year in August at the Black Hat security conference in Las Vegas.

Until today, Apple ran an invitation-based bug bounty program for selected security researchers only and was accepting only iOS security bugs.

Starting today, the company will accept vulnerability reports for a much wider spectrum of products that also includes as iPadOS, macOS, tvOS, watchOS, and iCloud.

In addition, the company has also increased its maximum bug bounty reward from $200,000 to $1,500,000, depending on the exploit chain’s complexity and severity.

Apple publishes official rules

To make it official, Apple has also published a new page on its website today detailing the bug bounty program’s rules, along with a breakdown of the rewards researchers stand to earn per the exploits they submit.

The rules are pretty strict and set a high bar for earning the top rewards. To be eligible for the top prizes and various bonuses, researchers must submit clear reports. These include:

  • A detailed description of the issues being reported.
  • Any prerequisites and steps to get the system to an impacted state.
  • A reasonably reliable exploit for the issue being reported.
  • Enough information for Apple to be able to reasonably reproduce the issue.

Security bugs that are novel, affect multiple platforms, work on the latest hardware and software, and impact sensitive components will give researchers a bigger chance at netting the top $1.5 million reward.

Vulnerabilities found in beta releases are also highly-prized. Apple says it will add a 50% bonus on top of the regular payout for any bug in reported in a beta release.

The reason why bugs in beta releases are highly prized is because these bug reports allow Apple to fix major security flaws before they reach production versions of its software, where they’ll impact billions of devices.

Apple will also pay a 50% bonus for regression bugs. These are bugs that Apple previously patched in older versions of its software, but they’ve been accidentally reintroduced in the code at a later point.

Vulnerabilities that allow for zero-click or one-click attacks are the ones that will bring researchers top money; however, Apple demands a full exploit chain for these types of submissions.

If one of these attacks uses three bugs chained together, the researcher will have to submit a full exploit chain that incorporates all the three bugs, and not only one — if they want to earn the maximum reward.

“As a few have noted, the bar is set pretty high in terms of deliverables,” Patrick Wardle, Principal Security Researcher at Jamf and an Apple security expert, told ZDNet today.

“One of the biggest challenges of a bug bounty program is filtering out all the subpar reports, and knowing what is a real/valid bug and the impact said bug could have,” Wardle said.

“So requiring an exploit, puts the onus on the researcher yes, but also then will help Apple quickly and fully understand which bugs should be prioritized and thus fixed (first).”

Below is the video of Ivan Krstić, Apple’s head of security, announcing Apple’s public bug bounty program at Black Hat over the summer (at 38:05). Krstić presentation files are available for download here. Below the video is an image of payouts Apple is willing to provide to security researchers [source].

apple-payouts.png



Source link

Continue Reading

Social

Rivian has dropped its cheapest trim level due to low customer demand – TechCrunch

Published

on

Rivian is discontinuing the cheapest trim level of its all-electric truck and SUV known as the Explore package due to low demand, according to emails sent this week to customers.

The company said in the email, which was first cited in the Rivian Owners Forum, that customers  with a pre-order for the Explore package will need to reconfigure to the Adventure trim by September 1 or have their pre-order cancelled. Rivian also issued information on its customer support page that explains why it cancelled the package and what customers’ options are.

For customers who pre-ordered the Explore trim, the change means an increase of about $5,500. The base Adventure package, which includes a dual-motor and standard battery pack that gets more than 260 miles of range, starts at $73,000.

“In order to deliver as many vehicles as possible, we have made the decision to discontinue the Explore Package. We realize this news is unexpected and apologize for how it impacts your plans,” the email said.

A few customers on the forum expressed their anger at the changes. It’s unclear if Rivian will lose existing customers due to the change. Although with a reported backlog of orders, it may not matter. As of June 30, 2022, Rivian’s net R1 preorder backlog was about 98,000 from consumers in the U.S. and Canada, according to its second-quarter letter to shareholders.

The company initially launched its R1T truck and R1S SUV with two packages. The Explore was intended as the entry-level package and the Adventure was the higher priced trim that offered more features.

Rivian said in the email that it expected a large number of customers would choose Explore. It turns out, they have not.

“To date, only a small percentage of customers have chosen this configuration, with the vast majority selecting the Adventure trim. By focusing on the Adventure trim package, we’re able to streamline our supply chain and ultimately deliver vehicles more quickly,” the email stated.

Rivian has made other price changes this year that caused temporary outrage among customers.

In March 2022, Rivian raised the price of its R1T pickup by 17% and R1S SUV by about 20% in an effort to adjust to inflationary pressure, increases in the cost of raw materials and parts as well as a prolonged chip shortage. Those price increases initially included customers who had put down deposits.

CEO RJ Scaringe walked back those plans after public backlash and issued a press release that promised customers who placed their preorder for either vehicle prior to March 1 that their original price will be honored. He also offered to restore any preorders from customers who cancelled as a result of the planned change.

That price change was supposed to be part of Rivian’s broader plan to introduce a new dual-motor version of the truck and SUV in 2024. That new propulsion system includes motors designed and manufactured by Rivian.

The company  first introduced the R1T and R1S in 2018 as all-wheel drive EVs equipped with a quad-motor system that pumped up the horsepower and torque and helped the startup stand out. The base price of the quad-motor R1T and R1S were originally $67,500 and $70,000 respectively.

Continue Reading

Social

What happens when a Black founder is ousted? – TechCrunch

Published

on

To play on a Langston Hughes poem — what happens to a Black founder ousted? Are they forgotten, like words on the tip of one’s tongue? Or revered like a deity and then thrown to the sun?

The topic is often awkward to ponder and layered in its probe since the reasons for a Black founder’s booting are shrouded in unknown intentions:

A Black founder could have messed up severely – but is the retaliation fair? Is it harsher than what their white counterparts would have received?

A Black founder could encounter an accusation – but was it doused in microaggressive anger?

Would things have unfolded in the way they did if the founder was white?

Each time a Black founder is removed from or criticized at their company, apprehension arises around figuring out what happened. This makes such conversations hard.

“It is in our best interest to operate with the understanding that our mistakes cost more, hurt more, and are rarely forgiven.” Oladosu Teyibo, founder of Analog Teams

For example, news broke last week that Kimberly Bryant, the founder of Black Girls Code, was fired from the organization she spent decades building. The reception was mixed. Founders who spoke to TechCrunch agreed that the employees who alleged misconduct by Bryant were right to speak out; they also said the board of BGC was too swift in Bryant’s ousting and denied her proper due process.

“Two things can be true at the same time,” Minda Harts, a consultant on equity and inclusion, told TechCrunch regarding the BGC situation. “All involved deserved better.”

Aside from Bryant, there have been a few high-profile cases of Black founders being ousted from their organizations. Marceau Michel was recently removed from his venture fund Black Founders Matter for matters still publicly undisclosed. Brian Brackeen was shown the door at his company, Kairos, in 2018, with the board citing “willful misconduct.” Other founder situations have flown under the radar; many are still too afraid to speak out.

What is known is that when Black founders are lost, the entire community suffers.

Continue Reading

Social

Zūm founder strikes balance between accessibility and a massive logistics network – TechCrunch

Published

on

Zūm’s mission is simple – to introduce student transportation that is reliable, efficient, sustainable and transparent.

To achieve the feat of modernizing an incredibly outdated, stuck-in-the-mud system, Zūm relies on cloud-based analytics software to create an agile bus routing system with real-time visibility for schools and parents. The startup also uses a diverse fleet that includes buses, vans and cars that it distributes based on specific use cases. For example, kids who live on busier routes will be assigned to school buses, and those who are slightly more remote will be sent vans or cars to increase overall efficiency.

When we last talked to Ritu Narayan, Zūm’s founder, the startup had just won a $150 million contract to modernize student transportation at the San Francisco Unified School District and was working on a plan to transform its fleet of electric school buses into a virtual power plant to provide backup energy to the grid.

“Zūm is a very recession-proof business. No matter what, kids are going to go to school every day, whether there’s a recession or inflation.” Zūm founder Ritu Narayan

Since then, Zūm has signed a $68 million contract with Seattle Public Schools and a $400 million contract with the Los Angeles Unified School District to bring their outdated busing systems into 2022 and beyond. The company also closed a $130 million Series D led by Softbank Vision Fund 2, bringing its total funding to more than $200 million, and set a goal to have a 100% electrified fleet of buses, vans and cars by 2025.

We sat down with Narayan to catch up on the past year and talk about how to bring on top tech talent, how growth-stage startups can attract next-level investors, and how to pick a recession-proof business.

Editor’s note: The following interview, part of an ongoing series with founders who are building transportation companies, has been edited for length and clarity.

TechCrunch: Zūm has had some impressive new executive hires lately — it looks like you’ve poached from the likes of Amazon, Microsoft, Uber and Netflix. Do you have any tips for other startups looking to attract top tech talent?

Ritu Narayan: The No. 1 thing is the focus on the mission and the purpose. The business that we are disrupting is a pretty old business. It has been around for 80 to 100 years with not much change. So when looking for potential hires, we just map out very clearly what change Zūm is bringing. We believe everybody has faced some kind of school bus story, whether they got bullied on the bus or maybe didn’t have access to one and had to walk. It’s such a part of people’s lives, that when we actually explain our mission and founding story, people are very much able to relate.

Continue Reading

Trending