Apple expands its bug bounty, increases maximum payout to $1M

Apple is finally giving security researchers something they’ve wanted for years: a macOS bug bounty.

The technology giant said Thursday it will roll out the bug bounty program to include Macs and MacBooks, as well as Apple TV and Apple Watch, almost exactly three years after it debuted its bug bounty program for iOS.

The idea is simple: you find a vulnerability, you disclose it to Apple, they fix it — and in return you get a cash payout. These programs are wildly popular in the tech industry as it helps to fund security researchers in exchange for serious security flaws that could otherwise be used by malicious actors, and also helps fill the void of bug finders selling their vulnerabilities to exploit brokers, and on the black market, who might abuse the flaws to conduct surveillance.

But Apple had dragged its feet on rolling out a bug bounty to its range of computers. Some security researchers had flat-out refused to report security flaws to Apple in absence of a bug bounty.

At the Black Hat conference in Las Vegas, head of security engineering and architecture Ivan Krstić announced the program to run alongside its existing iOS bug bounty.

Patrick Wardle, a security expert and principle security researcher at Jamf, said the move was a “no brainer.”

Wardle has found several major security vulnerabilities and dropped zero-days — details of flaws published without allowing the companies a chance to fix — citing the lack of a macOS bug bounty. He has long criticized Apple for not having a bug bounty, accusing the company of leaving a void open for security researchers to sell their flaws to exploit brokers who often use the vulnerabilities for nefarious reasons.

“Granted, they hired many incredible talented researchers and security professionals — but still never really had a transparent mutually beneficial relationship with external independent researchers,” said Wardle.

“Sure this is a win for Apple, but ultimately this a huge win for Apple’s end users,” he added.

Apple said it will open its bug bounty program to all researchers and increase the size of the bounty from the current maximum of $200,000 per exploit to $1 million for a zero-click, full chain kernel code execution attack with persistence — in other words, if an attacker can gain complete control of a phone without any user interaction and simply by knowing a target’s phone number.

Apple also said that any researcher who finds a vulnerability in pre-release builds that’s reported before general release will qualify for up to 50% bonus on top of the category of vulnerability they discover.

The bug bounty programs will be available to all security researchers beginning later this year.

The company also confirmed a Forbes report, published earlier this week, saying it will give a number of “dev” iPhones to vetted and trusted security researchers and hackers under the new iOS Security Research Device Program. These devices are special devices that give the hackers greater access to the underlying software and operating system to help them find vulnerabilities typically locked away from other security researchers — such as secure shell.

Apple said that it hopes expanding its bug bounty program will encourage more researchers to privately disclose security flaws, which will help to increase the protection of its customers.

Read more:
Apple restricts ads and third-party trackers in iPhone apps for kids
New book looks inside Apple’s legal fight with the FBI
Apple has pushed a silent Mac update to remove hidden Zoom web server
Many popular iPhone apps secretly record your screen without asking
Apple rebukes Australia’s ‘dangerously ambiguous’ anti-encryption bill
Apple Card will make credit card fraud a lot more difficult

from Apple – TechCrunch https://ift.tt/2ZKtzJB

Apple Music for Artists comes out of beta with an iOS app and Shazam data

Apple Music launched its data dashboard for musicians more than a year ago. Today, the company is taking that product — Apple Music for Artists — out of beta, and adding some new features in the process.

For one thing, it’s no longer a web-only product, because Apple is releasing an iPhone app. On both web and iOS, Apple Music for Artists allows musicians and their teams to see how often a song has been played, how many listeners it’s reaching and how many times it’s been purchased.

There’s also an “insights” section designed to highlight noteworthy data at any given moment, like how the first week of a new song compares to the first weeks of previous songs, or when the popularity of a song is spiking, or if they’ve hit a big milestone like 1 million plays.

Apple is also introducing data from Shazam, the music-recognition app it acquired last year. The idea is to capture listener behavior that’s very different from seeking out an artist or a specific song — it’s more about a moment of spontaneous connection, when you hear a song and think, “Whoa, what’s this?” (This also provides a window to behavior beyond Apple Music listeners.)

One of the goals is to give musicians the data they need to actually guide their decisions. For example, they might see that a song that’s not many plays compared to their big singles, but it’s doing surprisingly well on Shazam — so maybe it’s time to shift promotion.

And the data is also browsable by city, on a map. So if someone’s planning a tour, they can use this to data to choose which cities or visit, or to find the correct venue size in a given market.

Apple says all the data (including Shazam data) goes back to the launch of Apple Music in 2015. Any artist can claim their account for free.

Apple Music surpasses 60 million subscribers

from Apple – TechCrunch https://ift.tt/2KxLBbH

GitHub gets a CI/CD service

Microsoft’s GitHub today launched the beta of a new version of GitHub Actions with full continuous integration and delivery (CI/CD) capabilities built right into the service. General availability is planned for November 13.

The company also today announced that it now has more than 40 million developers on its platform.

Ten months ago, GitHub launched Actions, its workflow automation platform. Developers could already take actions to trigger all kinds of events and use that to build custom CI/CD pipelines. At launch, the GitHub team stressed that Actions allowed for building these pipelines, but that it was a lot more than that. Still, developers were obviously quite interested in using Actions for CI/CD.

“Since we introduced GitHub Actions last year, the response has been phenomenal, and developers have created thousands of inspired workflows,” writes GitHub CEO Nat Friedman in today’s announcement. “But we’ve also heard clear feedback from almost everyone: you want CI/CD! And that’s what we’re announcing today.”

With this updated version of Actions, developers can now build, test and deploy their code on any platform and run their workflows in containers or virtual machines. Developers also can test multiple versions of their applications in parallel thanks to a new feature called “matrix builds,” which lets you, for example, test three different versions of Node.js on Linux, Windows and MacOS at the same time. Because GitHub Actions are defined in a basic YAML file, making those changes is only a matter of adding a few lines to the file.

Supported languages and frameworks include Node.js, Python, Java, PHP, Ruby, C/C++, .NET, Android and iOS. Actions is also integrated with the GitHub Package Registry.

As the application is built, you also get live logs streamed to the Action console, and it’s easy to link to any line in a log file to discuss issues with the rest of your team.

These new features are available for free during the beta and will remain free for all public repositories.

Actions for GitHub Enterprise Server will launch next year and will include a hybrid option that will allow you to keep the code in a private data center and still use GitHub to orchestrate the workflows.

“GitHub Actions is the democratization of CI/CD and software automation. Developers can write workflows reacting to any GitHub platform event and reference open-source GitHub Actions — reusable pieces of code — to supercharge their software lifecycle the same way they are used to writing application code,” said Max Schoening, GitHUb’s senior director of Product Design. “It truly is community-powered CI/CD with a pricing model that works for everyone.”

With this launch, GitHub is now also competing more directly with some of the CI/CD startups that have built businesses on top of the platform. That’s likely to create a bit of friction.

“GitHub has made a commitment to keeping their platform open to all partners, but only time will tell,” CircleCI CEO Jim Rose said in a statement. “Ultimately, developers are smart and will choose the best, most powerful tools available on the market, and we’re confident that that’s where CircleCI will continue to be. […] With more than nine years of data and experience on how teams move from idea to delivery, CircleCI is the leader in CI/CD and we are confident we have the best solution for developers.”

I expect that Rose’s comment will echo that of other CI/CD players, though it’s also worth noting, as Rose did, that Actions can be integrated with other continuous integration services to allow developers to trigger builds on their platforms. These providers can also make their own Actions available on GitHub.

“We see GitHub actions as complementary to what Codefresh does. It’s an additional way that users can leverage Codefresh to build robust pipelines in a scalable way. One interesting thing is that GitHub followed our lead in how they architected Actions. You can actually use GitHub actions as steps inside a Codefresh pipeline. So you see, we’re actually very aligned,” said Dan Garfield, the chief technology evangelist at CI/CD platform Codefresh. “Developers can find the Codefresh action right on GitHub!”

When I asked GitHub about this, Schoening provided the following statement: “GitHub and our community believe in choice and an open ecosystem. That is something we take seriously and build into everything we do. GitHub Actions lets developers integrate with all their existing tooling, mix and match new developer products, and hook into all parts of the software lifecycle, including existing CI/CD partners.”

from Android – TechCrunch https://ift.tt/2Kl7P1I
via IFTTT

Google Travel adds flight price notifications and a limited time flight price guarantee

Google is building out its travel product with more features to convince you to use it to book flights and plan trips directly, instead of having to go anywhere else. The company is adding more sophisticated pricing features, including historical price comparison for specific itineraries – and notifications about when a price is likely to spike or when it’s at the absolute lowest. It’s also offering a pricing guarantee for bookings made in the next couple of weeks, so you’ll get be refunded the difference if Google says a flight price won’t drop and it subsequently does.

For any flights booked through Google that originate in the U.S. (regardless of destination) between August 13 and September 2, for which Google sends you an alert notifying you that the price is predicted to be at its lowest, the company will alert you if it does drop and then send you a refund on the price difference between what it predicted (ie., what you paid) and the lowest actual fare.

It’s an attractive deal, and the limited time offer is probably only even available because this is new and Google wants to make sure people feel absolutely comfortable trusting their predictions. The company likely has the most readily available, cross-airline information about flight availability, route popularity and price in the world, however, backed by some of the most sophisticated machine learning on the planet, so it sounds like it’s probably a pretty safe bet for them to make.

Google Travel is also adding a number of features once you actually book you trip – it’ll suggest next steps for planning your trip, and then help you find the best neighbourhoods, hotels, restaurants and stuff to do. Plus, reservations and other trip details will automatically carry over to the Google Maps app on your iOS or Android.

Overall, it’s clear that Google is making an aggressive play to own your overall travel and trip planning – and it has the advantage of having more data, better engineering, and a whole lot more in the way of design skills when compared to just about every dedicated travel booking company out there.

Google launches ‘Live View’ AR walking directions for Google Maps

from Android – TechCrunch https://ift.tt/2OJRvvH
via IFTTT

Google launches ‘Live View’ AR walking directions for Google Maps

Google is launching a beta of its augmented reality walking directions feature for Google Maps, with a broader launch that will be available to all iOS and Android devices that have system-level support for AR. On iOS, that means ARKit-compatible devices, and on Android, that means any smartphones that support Google’s ARcore, so long as ‘Street View’ is also available where you are.

Originally revealed earlier this year, Google Maps’ augmented reality feature has been available in an early alpha mode to both Google Pixel users and to Google Maps Local Guides, but starting today it’ll be rolling out to everyone (this might take a couple weeks depending on when you actually get pushed the update). We took a look at some of the features available with the early version in March, and it sounds like the version today should be pretty similar, including the ability to just tap on any location nearby in Maps, tap the ‘Directions’ button and then navigating to ‘Walking,’ then tapping ‘Live View’ which should appear newer the bottom of the screen.

The Live View feature isn’t designed with the idea that you’ll hold up your phone continually as you walk – instead, in provides quick, easy and super useful orientation, by showing you arrows and big, readable street markers overlaid on the real scene in front of you. That makes it much, much easier to orient yourself in unfamiliar settings, which is hugely beneficial when traveling in unfamiliar territory.

Google Maps is also getting a number of other upgrades, including a one-stop ‘Reservations’ tab in Maps for all your stored flights, hotel stays and more – plus it’s backed up offline. This, and a new redesigned Timeline which is airing on Android devices only for now, should also be rolling out to everyone over the next few weeks.

Google Travel adds flight price notifications and a limited time flight price guarantee

from Android – TechCrunch https://ift.tt/2MJrmua
via IFTTT

Learn how enterprise startups win big deals at TechCrunch’s Enterprise show on Sept. 5

Big companies today may want to look and feel like startups, but when it comes to the way they approach buying new enterprise solutions, especially from new entrants. But from the standpoint of a true startup, closing deals with just a few big customers is critical to success. At our much anticipated inaugural TechCrunch Sessions: Enterprise event in San Francisco on September 5, Okta’s Monty Gray, SAP’s DJ Paoni, VMware’s Sanjay Poonen, and Sapphire Venture’s Shruti Tournatory will discuss ways for startups to adapt their strategies to gain more enterprise customers (p.s. early-bird tickets end in 48 hours – book yours here).

This session is sponsored by SAP, the lead sponsor for the event.

Monty Gray is Okta’s Senior Vice President and head of Corporate Development. In this role, he is responsible for driving the company’s growth initiatives, including mergers and acquisitions. That role gives him a unique vantage point of the enterprise startup ecosystem, all from the perspective of an organization that went through the process of learning how to sell to enterprises itself. Prior to joining Okta, Gray served as the Senior Vice President of Corporate Development at SAP.

Sanjay Poonen joined VMware in August 2013, and is responsible for worldwide sales, services, alliances, marketing and communications. Prior to SAP, Poonen held executive roles at Symantec, VERITAS and Informatica, and he began his career as a software engineer at Microsoft, followed by Apple.

SAP’s DJ Paoni has been working in the enterprise technology industry for over two decades. As president of SAP North America, DJ Paoni is responsible for the strategy, day-to-day operations, and overall customer success in the United States and Canada.

These three industry executives will be joined on stage by Sapphire Venture’s Shruti Tournatory, who will provide the venture capitalist’s perspective. She joined Sapphire Ventures in 2014 and leads the firm’s CXO platform, a network of Fortune CIOs, CTOs, and digital executives. She got her start in the industry as an analyst for IDC, before joining SAP and leading product for its business travel solution.

Grab your early-bird tickets today before we sell out. Early-bird sales end after this Friday, so book yours now and save $100 on tickets before prices increase. If you’re an early-stage enterprise startup you can grab a startup demo table for just $2K here. Each table comes with 4 tickets and a great location for you to showcase your company to investors and new customers.

from Apple – TechCrunch https://ift.tt/2YynbZg

PodcastOne is launching LaunchpadDM, a free hosting platform for independent podcasters

PodcastOne, the celebrity podcasting network from the founder of radio powerhouse WestwoodOne, is launching a free hosting platform for podcasters.

The Los Angeles-based syndicated podcasting platform, which counts athletes, politicians, talk radio, and reality television stars like Adam Carolla, Shaquille O’Neal, Steve Austin, Kaitlyn Bristowe, Dan Patrick, Spencer and Heidi Pratt, Jim Harbaugh, Ladygang, Dr. Drew, Chael Sonnen, Rich Eisen, Barbara Boxer, is angling to get insight into potential new talent through the venture. 

“We will see which podcasts are performing well and offer them the opportunity to partner and grow with PodcastOne, and provide them with all the resources the network offers, including production, talent booking, promotion, a dedicated sales team and more,” said PodcastOne chief executive, Peter Morris, in a statement. “As the leading ad-supported podcast network, we are embracing the over 700,000 podcasts out there, and are here to support the long-term growth of independent podcasters.”

Called Launchpad Digital Media, the new hosting service is pitching podcasters a free platform including unlimited hosting; access to analytics including listenership, geography, and device data; total ownership of direct monetization channels for a podcast’s subscriber base, and complete control over how podcasts are distributed via Apple, Spotify or other services.

The company is also billing itself as a discovery platform, offering free promotion for the services various podcasts across its own network of popular podcasting talent.

“Over the years, people have shared with us how hard it can be out there in the desert of independent podcasting: you have to pay to host and get your podcast heard; you get no help in discoverability; you’re scared to leave and stop paying your hosting platform because you might lose your subscribers; and it’s virtually impossible to get noticed by a major podcast network who can help you take your hard work to the next level,” said Morris, in a statement. “Launchpad was built with the independent podcaster in mind. We wanted to help solve these problems… for free.”

Since nothing is actually free, and since PodcastOne wants to get paid, the catch is the company’s own ability to insert pre- and mid-roll advertising into podcasts that are hosted on the new service.

So podcasters can manage their direct advertising, but they give PodcastOne the ability to slot in ads that the company chooses across any of the podcasts that agree to be hosted on the service. It gives the company access to both marquee talent for high value, big spending advertisers, and a way to flood other podcasts with whatever ads the company wants.

Ads that LaunchpadDM inserts won’t be longer than two total minutes per episode and podcasters can determine the location of the midroll spot when uploading the episode.

from Apple – TechCrunch https://ift.tt/2yHTA0h