Security Researchers Unhappy With Apple's Bug Bounty Program

[MacRumors]

Apple offers a bug bounty program that's designed to pay security researchers for discovering and reporting critical bugs in Apple operating systems, but researchers are not happy with how it operates or Apple's payouts in comparison to other major tech companies, reports The Washington Post.

In interviews with more than two dozen security researchers, The Washington Post collected a number of complaints. Apple is slow to fix bugs, and doesn't always pay out what's owed.

Apple in 2020 paid out $3.7 million, about half of the $6.7 million that Google paid to researchers, and far less than the $13.6 million Microsoft paid. While other companies like Facebook, Microsoft, and Google highlight security researchers that find major bugs and hold conferences and provide resources to encourage a wide range of participants, Apple does not do so.

Security researchers said that Apple limits feedback on which bugs will receive a bounty, and former and current Apple employees said there's a "massive backlog" of bugs that have yet to be addressed.

Apple's reluctance to be more open with security researchers has discouraged some researchers from providing flaws to Apple, with those researchers instead selling them to customers like government agencies or companies that offer up hacking services.

Apple's Head of Security Engineering and Architecture, Ivan Krstić, told The Washington Post that Apple feels the program has been a success, and that Apple has doubled the amount that it paid in bug bounties in 2020 compared to 2019. Apple is, however, still working to scale the program, and will offer new rewards in the future.

"We are also planning to introduce new rewards for researchers to keep expanding participation in the program, and we are continuing to investigate paths to offer new and even better research tools that meet our rigorous, industry-leading platform security model."

Luta Security founder Katie Moussouris told The Washington Post that Apple's poor reputation with the security community could in the future lead to "less secure products" and "more cost."

Apple's bug bounty program promises rewards ranging from $100,000 to $1,000,000, and Apple also provides some researchers with special iPhones dedicated to security research. These iPhones are less locked down than consumer devices and are designed to make it easier for security vulnerabilities and weaknesses to be unearthed.

Sam Curry, a security researcher that worked with Apple in 2020, said that he offered feedback to Apple and that he feels like the company is aware of how it's seen and "trying to move forward." According to The Washington Post, Apple this year hired a new leader for the bug bounty program, so it could soon see some improvements.

Article Link: Security Researchers Unhappy With Apple's Bug Bounty Program

 

[xxray]

Who isn't unhappy with Apple lately? Rough year for the McIntosh.

 

[H3LL5P4WN]

with those researchers instead selling them to customers like government agencies or companies that offer up hacking services.

Then they aren't security researchers, they're greedy neckbeard ******s.

 

[rgeneral]

In today's world, security should be given the highest priority like the design of products.

 

[Shirasaki]

Apple wants a more locked down system but reluctant to pay researchers that help achieving the goal. I have no idea what Apple is actually thinking now.

Maybe several high profile mass exploits would let Apple rethink their strategies. Or, maybe Apple just cave and build their own backdoors.

What a year we are living in.

 

[TheYayAreaLiving 🎗️]

I don't think anyone is happy with Apple. Apple needs to step it up.

Security, privacy and being able to fix bugs should be the top priority for Apple.

 

[Shirasaki]

Then they aren't security researchers, they're greedy neckbeard ******s.

Their time and efforts need to be paid somehow. Those “researchers” choice might be debatable but Apple is definitely here to blame.

 

[Spizike9]

It’s very simple. If you don’t like the way Apple does it then don’t find their bugs. Eventually there will be some bad exploits and Apple will start paying more for the good guys to find their flaws.

 

[guerro]

Looks like the hackers are moving towards an extortion business model.

 

[guerro]

Then they aren't security researchers, they're greedy neckbeard ******s.

neckbeard lols

 

[gsurf123]

None of us are aware of what is being submitted and if it is of any value. This is basically another attempt to raid Apple's wallet just like everyone else who is complaining.

If the system is so bad, just like the App Store is, then quit submitting bugs. Same goes for the App Store...stop developing products for it.

 

[MauiPa]

Given the number of security flaws in Microsoft products, their payouts are way too little

 

[rpmurray]

What bugs? I thought those were all features.

 

[TheYayAreaLiving 🎗️]

None of us are aware of what is being submitted and if it is of any value. This is basically another attempt to raid Apple's wallet just like everyone else who is complaining.

If the system is so bad, just like the App Store is, then quit submitting bugs. Same goes for the App Store...stop developing products for it.

These developers are trying to get paid.

 

[Realityck]

Apple in 2020 paid out $3.7 million, about half of the $6.7 million that Google paid to researchers, and far less than the $13.6 million Microsoft paid. While other companies like Facebook, Microsoft, and Google highlight security researchers that find major bugs and hold conferences and provide resources to encourage a wide range of participants, Apple does not do so.

Oh come now, should we discuss how buggy MS OS patches are compared to Apple's? (you can't look at the dollar amount without counting the number of incidents).

I would agree on a equal reward footing irregardless of the OS being researched that the security bug bounties should be similar value to companies that want to know about these issues. Thats a reasonable expectation.

 

[now i see it]

Bounty is probably so low because as the article stated, they've got so many backlogged bugs already on their plate (that they can't seem to fix) that adding more to the pile won't make any difference. They're probably overwhelmed as it is.

 

[PowerMacBook]

it just works...

 

[jz0309]

Another group unhappy with Apple…
Citing $s is ridiculous, cute # of issues found and then you know why MSFT is far more eager… and naming Facebook in this article is the biggest joke…

 

[InVinoVeritasty]

"Apple's reluctance to be more open with security researchers has discouraged some researchers from providing flaws to Apple, with those researchers instead selling them to customers like government agencies or companies that offer up hacking services."

I've said it before. Apple has lost its way.

 

[jz0309]

These developers are trying to get paid.

They are not getting paid?

 

[dguisinger]

Good God, people are defending Apple on this one?

People are spending hundreds of hours of their own time (or thousands) searching for individual security holes and showing how to exploit them, and you think they don't deserve compensation (which is an industry norm at this point) for finding it and reporting it out to the vendor?

How many of you waste hundreds of hours doing what is basically your fulltime job without getting paid?

 

[bousozoku]

Apple has always shown a great disdain for fixing problems until they become news. When they're on TV or in the newspapers, Apple runs to fix software problems.

They have great opportunities to make their software better, but they seem to have become Adobe in nature. They're so quick to consider new features, some of which may even be useful, that they don't consider fixing problems.

 

[KaliYoni]

I think security-through-obscurity, as Apple tries to do, is an unsustainable security strategy. It leads to more zero day exploits and unpatched vulnerabilities.

Worse, it depends on near perfection from Apple's developers and QA team. It's pretty bloody obvious that Apple has been shipping software with glaring technical, security, and UI flaws for years now. Perfection is clearly unattainable for Apple.

So, come on Apple! Pay up. It will better for everybody.

 

[bousozoku]

Oh come now, should we discuss how buggy MS OS patches are compared to Apple's? (you can't look at the dollar amount without counting the number of incidents).

I would agree on a equal reward footing irregardless of the OS being researched that the security bug bounties should be similar value to companies that want to know about these issues. Thats a reasonable expectation.

Microsoft is quick to patch things, often moving the problem, but never really making their software better.

 

[Robert.Walter]

At this point I can accept no excuse or justification from apple for why it isn’t paying best in class bounties.

Slow to scale excuses arguments? Ridiculous.

Smaller than industry rewards? It’s literally a marketplace of exploits. Not every hacker is a white hat. Some are beyond US Justice, others it takes years to catch. When Apple isn’t the first stop for exploits, in such cases the damage is done by the time such holes are closed and the crooks caught.

For God’s sake, people have literally died and been hacked into pieces because of unpatched Apple bugs.

And in the meantime Apple wants us to put our medical histories, identification, house and office keys in our devices…

Yes we can blame NSO and FSB etc, but they are finding what is already there. There is no reason Apple couldn’t find most of it first if it doubled down on this.

Apple is the richest company in the history of humanity. It has the financial resources to rival some nation states. There is no traditional business barrier to Apple doing what it needs to here.

Not able to run a robust bug discovery program that draws the best and most submissions (and conversely staffing internally to handle these)? Apple is fully able.

There is no reason that the above can’t be solved. And at this point is only because of perceptual and cultural lag, possible arrogance, clear lack of CEO priority, and definite CFO cheapskatedness.

I might add it’s pretty glaring that attention and resources are lacking here even as Apple instead builds proof of concept golden keys inviting state coercion to expand their CSAM intrusion into other areas…