Apple was supposed to be in our @DEFCON talk.

We sent them the vulnerability 4 months ago. They contacted us before the talk assuring us that we wouldn’t mention them, and we said, “sure because it’s not fixed yet.”

The vulnerability was discovered using a virtualized MacOS This is weird because the SRD is only for iPhones.

@Apple will you release a security research device for the desktop?

Does the Mac security not matter as much as iOS?

I used a jailbroken iPhone to verify and then on old OS via @CorelliumHQ.

Leave Corellium alone #safeharbor

MacStadium is controlled by @SummitPartners who also own jamf.

They virtualize macOS.

There is an iOS simulator in @MacStadium.

They are literally controlled by the same company, “a continued relationship with @Apple.”

Apple wants @CorelliumHQ because they want control 🥴 Have a bigger write up coming. How Apple turns a blind eye, how their research device is bogus and potentially discriminates disadvantaged researchers from ever participating in their bug bounty.

They want @CorelliumHQ so bad because.

We sent Apple a bug 4 months ago 🐌🥱⏱

Umm #ChipShortage feels like it’s getting WORSE not better 😂 companies are panic buying many popular items on Mouser/Digi-Key...

Should we turn to unsafe supply-chain sourcing?

“... Expected 17/8/2023!”

Hint: good time to open a semi fab 😂! For those who don’t understand the shortage, open up one of your least favorite smart devices, find the parts on mouser.com and see if it’s out of stock, or “On-Order”, etc.

FYI: @SAP does NOT have a public bug bounty program and this weird blog post is just to solicit free research. They don’t pay.

blogs.sap.com/2021/02/23/bug…

If your BBP is private then why tf are you boasting about it on your blog 😂? I got scammed into submitting research into their public program. Told them next time I’ll submit then through @thezdi instead.