A new report from Motherboard last week goes into detail about Apple's bug bounty program. The program is an initiative in hopes of encouraging security researchers to submit "high-value" bugs for money. The report from Motherboard explains that the program is not taking off as fast as Apple had hoped. Continue reading after the break.
A Message From Our Sponsors:
At the time of announcement, Apple broke down the max payments as apart of its bounty program:
Motherboard's report explains that Apple is not paying nearly enough, as researchers can get considerably more for bugs from third-parties. Also, if they were to report some bugs they found, it could prevent them from doing further research. Nikias Bassen, a security researcher for Zimperium, and who joined Apple's program last year said:
- Secure boot firmware: $200,000
- Extraction of confidential material protected by the Secure Enclave Processor $100,00
- Execution of arbitrary code with kernel privileges: $50,000
- Unauthorized access to iCloud account data on Apple Servers: $50,000
- Access from a sandboxed process to user data outside of that sandbox $25,000
Motherboard's report explains that Apple is not paying nearly enough, as researchers can get considerably more for bugs from third-parties. Also, if they were to report some bugs they found, it could prevent them from doing further research. Nikias Bassen, a security researcher for Zimperium, and who joined Apple's program last year said:
People can get more cash if they sell their bugs to others. If you're just doing it for the money, you're not going to give to Apple directly.
Furthermore, the report notes that eight bug hunters said they had not submitted a bug to apple, nor do the researchers know of anyone who has submitted something to Apple.
Apple simply does not seem to be paying researchers enough for bugs. Motherboard says that in the current gray market, companies such as Zerodium buy exploits from researchers and sell them to their customers, offering $1.5 million for a method "comprised of multiple bugs that can jailbreak the iPhone." Another company offers $500,000 for similar exploits.
The report also notes how much effort Apple has put into its bug bounty program, like flying prominent researchers to Cupertino for closed-door meetings, only for the program to falter.
Apple simply does not seem to be paying researchers enough for bugs. Motherboard says that in the current gray market, companies such as Zerodium buy exploits from researchers and sell them to their customers, offering $1.5 million for a method "comprised of multiple bugs that can jailbreak the iPhone." Another company offers $500,000 for similar exploits.
The report also notes how much effort Apple has put into its bug bounty program, like flying prominent researchers to Cupertino for closed-door meetings, only for the program to falter.
Apple pitched the researchers on collaborating with the company by joining the bug bounty program. Apple security employees gave presentations, took the researchers out or dinner, and gave them a chance to chat and discuss their work. Even Craig Federighi, Apple's senior vice president of software engineering, made a surprise appearance to meet and greet the researchers, according to two sources who attended.
Whether or to Apple has any changes in mind for its bug bounty program remains unknown. In the current state, researchers are looking elsewhere for their payouts. Thanks for reading. Check out Motherboards report here.