Connect with us

Social

Apple opens public bug bounty program, publishes official rules

Published

on


Image: Laurenz Heymann

Apple has formally opened its bug bounty program today to all security researchers, after announcing the move earlier this year in August at the Black Hat security conference in Las Vegas.

Until today, Apple ran an invitation-based bug bounty program for selected security researchers only and was accepting only iOS security bugs.

Starting today, the company will accept vulnerability reports for a much wider spectrum of products that also includes as iPadOS, macOS, tvOS, watchOS, and iCloud.

In addition, the company has also increased its maximum bug bounty reward from $200,000 to $1,500,000, depending on the exploit chain’s complexity and severity.

Apple publishes official rules

To make it official, Apple has also published a new page on its website today detailing the bug bounty program’s rules, along with a breakdown of the rewards researchers stand to earn per the exploits they submit.

The rules are pretty strict and set a high bar for earning the top rewards. To be eligible for the top prizes and various bonuses, researchers must submit clear reports. These include:

  • A detailed description of the issues being reported.
  • Any prerequisites and steps to get the system to an impacted state.
  • A reasonably reliable exploit for the issue being reported.
  • Enough information for Apple to be able to reasonably reproduce the issue.

Security bugs that are novel, affect multiple platforms, work on the latest hardware and software, and impact sensitive components will give researchers a bigger chance at netting the top $1.5 million reward.

Vulnerabilities found in beta releases are also highly-prized. Apple says it will add a 50% bonus on top of the regular payout for any bug in reported in a beta release.

The reason why bugs in beta releases are highly prized is because these bug reports allow Apple to fix major security flaws before they reach production versions of its software, where they’ll impact billions of devices.

Apple will also pay a 50% bonus for regression bugs. These are bugs that Apple previously patched in older versions of its software, but they’ve been accidentally reintroduced in the code at a later point.

Vulnerabilities that allow for zero-click or one-click attacks are the ones that will bring researchers top money; however, Apple demands a full exploit chain for these types of submissions.

If one of these attacks uses three bugs chained together, the researcher will have to submit a full exploit chain that incorporates all the three bugs, and not only one — if they want to earn the maximum reward.

“As a few have noted, the bar is set pretty high in terms of deliverables,” Patrick Wardle, Principal Security Researcher at Jamf and an Apple security expert, told ZDNet today.

“One of the biggest challenges of a bug bounty program is filtering out all the subpar reports, and knowing what is a real/valid bug and the impact said bug could have,” Wardle said.

“So requiring an exploit, puts the onus on the researcher yes, but also then will help Apple quickly and fully understand which bugs should be prioritized and thus fixed (first).”

Below is the video of Ivan Krstić, Apple’s head of security, announcing Apple’s public bug bounty program at Black Hat over the summer (at 38:05). Krstić presentation files are available for download here. Below the video is an image of payouts Apple is willing to provide to security researchers [source].

apple-payouts.png



Source link

Continue Reading

Social

Facebook will pay $650 million to settle class action suit centered on Illinois privacy law – TechCrunch

Published

on

Facebook was ordered to pay $650 million Friday for running afoul of an Illinois law designed to protect the state’s residents from invasive privacy practices.

That law, the Biometric Information Privacy Act (BIPA), is a powerful state measure that’s tripped up tech companies in recent years. The suit against Facebook was first filed in 2015, alleging that Facebook’s practice of tagging people in photos using facial recognition without their consent violated state law.

Indeed, 1.6 million Illinois residents will receive at least $345 under the final settlement ruling in California federal court. The final number is $100 million higher than the $550 million Facebook proposed in 2020, which a judge deemed inadequate. Facebook disabled the automatic facial recognition tagging features in 2019, making it opt-in instead and addressing some of the privacy criticisms echoed by the Illinois class action suit.

A cluster of lawsuits accused Microsoft, Google and Amazon of breaking the same law last year after Illinois residents’ faces were used to train their facial recognition systems without explicit consent.

The Illinois privacy law has tangled up some of tech’s giants, but BIPA has even more potential to impact smaller companies with questionable privacy practices. The controversial facial recognition software company Clearview AI now faces its own BIPA-based class action lawsuit in the state after the company failed to dodge the suit by pushing it out of state courts.

A $650 million settlement would be enough to crush any normal company, though Facebook can brush it off much like it did with the FTC’s record-setting $5 billion penalty in 2019. But the Illinois law isn’t without teeth. For Clearview, it was enough to make the company pull out of business in the state altogether.

The law can’t punish a behemoth like Facebook in the same way, but it is one piece in a regulatory puzzle that poses an increasing threat to the way tech’s data brokers have done business for years. With regulators at the federal, state and legislative level proposing aggressive measures to rein in tech, the landmark Illinois law provides a compelling framework that other states could copy and paste. And if big tech thinks navigating federal oversight will be a nightmare, a patchwork of aggressive state laws governing how tech companies do business on a state-by-state basis is an alternate regulatory future that could prove even less palatable.

 

Continue Reading

Social

Twitter rolls out vaccine misinformation warning labels and a strike-based system for violations – TechCrunch

Published

on

Twitter announced Monday that it would begin injecting new labels into users’ timelines to push back against misinformation that could disrupt the rollout of COVID-19 vaccines. The labels, which will also appear as pop-up messages in the retweet window, are the company’s latest product experiment designed to shape behavior on the platform for the better.

The company will attach notices to tweeted misinformation warning users that the content “may be misleading” and linking out to vetted public health information. These initial vaccine misinformation sweeps, which begin today, will be conducted by human moderators at Twitter and not automated moderation systems.

Twitter says the goal is to use these initial determinations to train its AI systems so that down the road a blend of human and automated efforts will scan the site for vaccine misinformation. The latest misinformation measure will target tweets in English before expanding.

Twitter also introduced a new strike system for violations of its pandemic-related rules. The new system is modeled after a set of consequences it implemented for voter suppression and voting-related misinformation. Within that framework, a user with two or three “strikes” faces a 12-hour account lockout. With four violations, they lose account access for one week, with permanent suspension looming after five strikes.

Twitter introduced its first pandemic-specific policies a year ago, banning tweets promoting false treatment or prevention claims along with any content that could put people at higher risk of spreading COVID-19. In December, Twitter added new rules focused on popular vaccine conspiracy theories and announced that warning labels were on the way.

Continue Reading

Social

Facebook launches BARS, a TikTok-like app for creating and sharing raps – TechCrunch

Published

on

Facebook’s internal R&D group, NPE Team, is today launching its next experimental app, called BARS. The app makes it possible for rappers to create and share their raps using professionally created beats, and is the NPE Team’s second launch in the music space following its recent public debut of music video app Collab.

While Collab focuses on making music with others online, BARS is instead aimed at would-be rappers looking to create and share their own videos. In the app, users will select from any of the hundreds of professionally created beats, then write their own lyrics and record a video. BARS can also automatically suggest rhymes as you’re writing out lyrics, and offers different audio and visual filters to accompany videos as well as an autotune feature.

There’s also a “Challenge mode” available, where you can freestyle with auto-suggested word cues, which has more of a game-like element to it. The experience is designed to be accommodating to people who just want to have fun with rap, similar to something like Smule’s AutoRap, perhaps, which also offers beats for users’ own recordings.

Image Credits: Facebook

The videos themselves can be up to 60 seconds in length and can then be saved to your Camera Roll or shared out on other social media platforms.

Like NPE’s Collab, the pandemic played a role in BARS’ creation. The pandemic shut down access to live music and places where rappers could experiment, explains NPE Team member DJ Iyler, who also ghostwrites hip-hop songs under the alias “D-Lucks.”

“I know access to high-priced recording studios and production equipment can be limited for aspiring rappers. On top of that, the global pandemic shut down live performances where we often create and share our work,” he says.

BARS was built with a team of aspiring rappers, and today launched into a closed beta.

Image Credits: Facebook

Despite the focus on music, and rap in particular, the new app in a way can be seen as yet another attempt by Facebook to develop a TikTok competitor — at least in this content category.

TikTok has already become a launchpad for up-and-coming musicians, including rappers; it has helped rappers test their verses, is favored by many beatmakers and is even influencing what sort of music is being made. Diss tracks have also become a hugely popular format on TikTok, mainly as a way for influencers to stir up drama and chase views. In other words, there’s already a large social community around rap on TikTok, and Facebook wants to shift some of that attention back its way.

The app also resembles TikTok in terms of its user interface. It’s a two-tabbed vertical video interface — in its case, it has  “Featured” and “New” feeds instead of TikTok’s “Following” and “For You.” And BARS places the engagement buttons on the lower-right corner of the screen with the creator name on the lower-left, just like TikTok.

However, in place of hearts for favoriting videos, your taps on a video give it “Fire” — a fire emoji keeps track. You can tap “Fire” as many times as you want, too. But because there’s (annoyingly) no tap-to-pause feature, you may accidentally “fire” a video when you were looking for a way to stop its playback. To advance in BARS, you swipe vertically, but the interface is lacking an obvious “Follow” button to track your favorite creators. It’s hidden under the top-right three-dot menu.

The app is seeded with content from NPE Team members, which includes other aspiring rappers, former music producers and publishers.

Currently, the BARS beta is live on the iOS App Store in the U.S., and is opening its waitlist. Facebook says it will open access to BARS invites in batches, starting in the U.S. Updates and news about invites, meanwhile, will be announced on Instagram.

Facebook’s recent launches from its experimental apps division include Collab and collage maker E.gg, among others. Not all apps stick around. If they fail to gain traction, Facebook shuts them down — as it did last year with the Pinterest-like video app Hobbi.

Continue Reading

Trending