Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

It seems that the author found a vulnerability in the iCloud password reset that could have potentially allowed you to not only gain access to an iCloud account but also the passcode of a device. The reason why I think Apple decided not to give him a combined 350,000$ bounty is because from my understanding he didn’t actually realise the severity of what he found initially to exploit it and provide a proof of concept and so his bug bounty claim was limited to what he found initially and then Apple patched it (not a coincidence really) before anyone could do anything more. As a result now he wants the full bounty but Apple has decided to come to a random number as bounty. It’s easy to see why. Apple doesn’t want the bad PR from the fact that some random enthusiast found a way to compromise both iCloud and passcode of an iPhone without even having the targets physical device (insert Hollywood movie scene) and the fact that Apple with all their might may be vulnerable to something like this. On the other hand the author is pissed he did not fully exploit it in the first place and claim the full bounty by maybe showing a proof of concept and tried to be the good guy.


> Apple doesn’t want the bad PR from the fact that some random enthusiast found a way to compromise both iCloud and passcode of an iPhone

It is always problematic to do free work for big corporations. Corporations have an incentive to create "competitions" and similar "challenges" were many people participate doing free work, as they find nothing, and they can still under-pay the few that find something.

Can you even imagine the cost for Apple/Amazon/Google/... if they had to find all this problems by themselves? Can you see the amount of free labor that they get?

I found this free work justified for open source, like Linux, as everybody profits from it. It is a contribution to society. To fix big corporation problems in your spare time, only causes security experts salary to go down, as you are doing the job for free.


Can you even imagine the cost to Apple/Amazon/Google if the white hat community decides these companies have no ethics or integrity, so why not just go black hat instead?

I have no idea what the dark market rate is for hacking a high profile iCloud account, but I'd be very surprised if it's less than $18k.


I wonder how many people are being driven by this behaviour to sell to the highest bidder next time they find something.




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: