There's really no basis for this beyond its reflexive repetition on messageboards. You might as well type 'million dollar logout CSRF' in every vulnerability report thread.
$25,000. App access to a small amount of sensitive data normally protected by a TCC prompt.
In this case you get a misleading prompt, the access requires additional interactions. It's a serious bug and I'm all for reporters of serious bugs getting bigger bounties from companies that have more cash than they know what to do with. But simply dropping a random number in every single one of these threads is just noise, not even advocacy or technical discussion.
I think you missed the end of the article where any MacOS app could turn on your AirPods microphone without any permissions at all and at any time at all.
No it can't. It's only during Siri commands and dictation. It's not always-on.
Edit: NEVER MIND, that's correct, sorry. Why the heck does the article put the most dangerous part only at the end, and not include it in the tl;dr or anywhere else at all...??
Interesting that the page defines "sensitive data" as data "from Contacts, Mail, Messages, Notes, Photos, and real-time or historical precise location data — or similar user data — that would normally be prevented by the system." Notably missing is access to the microphone or camera.
I'm very surprised that Apple did not find this fell under the "or similar user data."
>The top payouts in each category are reserved for high quality reports and are meant to reflect significant effort, and as such are applicable to issues that impact all or most Apple platforms
It seems like the researcher put in significant effort, the demonstration was gold plated, or comparable exploits require far greater amounts of time and work to uncover.
The platform coverage seems broad enough to tick that box.
I would be very interested to read the internal report on how the $7k bounty figure was arrived at.
It is definitely arbitrary but part of me does think that surfacing such a bug is pretty important and if the monetary incentive was higher then we would have more white hat pentesters out there.
There's really no basis for this beyond its reflexive repetition on messageboards. You might as well type 'million dollar logout CSRF' in every vulnerability report thread.