Security Researchers Don't Think Apple Pays Enough for Bug Bounties

Apple's bug bounty program has been available to select security researchers for almost a year now, but according to a new report from Motherboard, most researchers prefer not to share bugs with Apple due to low payouts. More money can be obtained from third-party sources for bugs in Apple software.

applebugbounty

"People can get more cash if they sell their bugs to others," said Nikias Bassen, a security researcher for the company Zimperium, and who joined Apple's program last year. "If you're just doing it for the money, you're not going to give [bugs] to Apple directly."

Motherboard spoke to several members of Apple's bug bounty program with the condition of anonymity. Every single one said they had yet to report a bug to Apple and did not know anyone who had. iOS bugs are "too valuable to report to Apple," according to Patrick Wardle, a Synack researcher and former NSA hacker who was invited to the bug bounty program last year.

Apple first introduced its bug bounty program in August of 2016 at the Black Hat Conference, an annual global InfoSec event. Apple offers bounties of up to $200,000 depending on the vulnerability. Secure boot firmware components earn $200,000 at the high end, while smaller vulnerabilities, like access from a sandboxed process to user data outside of the sandbox, will earn $25,000.

Top Rated Comments

macsrcool1234 Avatar
46 months ago

Seems a fair amount. How much are they supposed to pay a bunch of guys in their jammies in their parents basement with one hand in their pants?

A lot more considering they can just easily sell these exploits to people who can do a lot more damage with it for 5 times as much.....
Score: 22 Votes (Like | Disagree)
SecuritySteve Avatar
46 months ago
I've been reading some of the comments here, as a new security researcher I find that some of your comments are victim of misconceptions that might be easily cleared up with some insight. For example:

Seems a fair amount. How much are they supposed to pay a bunch of guys in their jammies in their parents basement with one hand in their pants?

For one, you might've been right if we were talking about security research from 20 years ago, when it wasn't taken so seriously. However, modern security research is a business in and of itself. It takes a lot of knowledge and training, but more importantly it takes resources. Most external security researchers will not have access to the source code of these applications or OS features that they are probing for vulnerabilities.

Most groups that actively search for vulnerabilities apply techniques like 'fuzzing' where they dedicate hardware to constantly throw input at an application or API until it breaks, and then the researcher figures out if that break is exploitable. These breaks appear in the forms of application crashes and kernel panics. Most kernel level vulnerabilities would sweep the top of the bounty range, since that would allow for access to a system beyond that of an administrator or super user. Getting back to the point, Apple Hardware does not exactly come cheap, and to compete with a lot of the top end researchers like Google's Project Zero, you're going to need a significant investment to even get started.

When any company considers how much to pay out, the company must analyze how frequently bugs are going to be discovered that are significant enough to be rewarded, how much a vulnerability in this particular application or device would be paid for to malicious actors, and what damage to the company would a complete outbreak of an exploit targeting your product would cause to the company's image. If vulnerabilities are going to be frequent, its best to not offer a bounty and to have a team work in-house to discover them - because you will be flooded by submissions from amateur researchers grabbing low-hanging fruit. If vulnerabilities are going to rare and deal high damage to the company's image, as is in Apple's case which champions their security, then the payout needs to be significant enough to compensate researchers for their investment of both time and resources.

I hope this clears things up for readers.
Score: 20 Votes (Like | Disagree)
trsblader Avatar
46 months ago
The prices don't seem bad, and in fact seem pretty generous. I googled some other tech companies payouts and they are no where near Apple's.

Facebook claimed their largest payout ever was just $33,500. A bug that was reported that could unlock any user's account received just $15,000.

Microsoft's top payout is $30,000 with Google (apps such as gmail or YouTube specifically, not Android) just slightly up from there at $31,337. Unrestricted file system access that can lead to a google account takeover receives a max of $13,337 from Google.

For the Android part of Google, the top amount is $150-200k which is more on par with Apple.

I think the underground market will always pay more no matter what price Apple sets.
Score: 15 Votes (Like | Disagree)
826317 Avatar
46 months ago

It isn’t about being a bad guy its about being compensated for your work. How much is your time worth? Would you sell it short just because it is the ‘proper’ channel? Most wouldn’t.

Well if you do anything other than report it directly to Apple you're per definition a bad guy. As for the compensation, nobody made you mess around with Apple's systems, you decided to put your own time into it. So if you sell it to a bad
guy, it shows your morality and that you couldn't care less....
Score: 10 Votes (Like | Disagree)
HiRez Avatar
46 months ago
So the guys most likely to cash in these bounties think the bounties should be higher?
Score: 10 Votes (Like | Disagree)
ddurkee Avatar
46 months ago

It isn’t about being a bad guy its about being compensated for your work. How much is your time worth? Would you sell it short just because it is the ‘proper’ channel? Most wouldn’t.

If you're going to be honest here, the choice is selling it to Apple or selling it to criminals, for use in criminal activities.
Score: 10 Votes (Like | Disagree)

Top Stories

cook cbs this morning

CBS This Morning: Apple to Make 'Big Announcement' Tomorrow Morning

Tuesday January 12, 2021 8:46 am PST by
CBS This Morning today shared a short clip of an upcoming interview with Apple CEO Tim Cook in which addressing last week's events at the U.S. Capitol, with Cook saying "it's key that people be held accountable for it." Following the clip, Gayle King of CBS noted that the interview with Cook was not specifically arranged to address the current controversy over Parler and other repercussions, ...
ipad pro 2021 mysmartprice cad

Allegedly Leaked 2021 iPad Pro CAD Images Suggest Few Design Changes

Tuesday January 12, 2021 3:38 am PST by
Tech blogs 91mobile and MySmartPrice on Tuesday posted a series of allegedly leaked factory CAD images of Apple's upcoming fifth-generation 11-inch iPad Pro. Rumors suggest Apple plans to announce two new iPad Pro models in both 11-inch and 12.9-inch versions, and today's images offer perhaps the clearest indication yet that Apple's next-generation iPad Pros will have minimal, if any,...
prototype iphone 12 pro

Prototype iPhone 12 Pro Shown Off in Photos

Wednesday January 13, 2021 3:39 pm PST by
Developer Giulio Zompetti, who often shows off prototype versions of Apple devices, today highlighted a prototype version of the iPhone 12 Pro. The iPhone 12 Pro is running an operating system called SwitchBoard, a nonUI version of the iOS 14 update that Apple uses internally. We've seen SwitchBoard on prototype devices before, as Apple uses it to test new features. Zompetti's prototype...
find my app safari post

Safari Allows Users to Enable Hidden 'Items' Tab in 'Find My' App Ahead of AirTags Launch

Wednesday January 13, 2021 5:45 am PST by
As seen in screenshots obtained by MacRumors in 2019, Apple's long-rumored AirTags items trackers are expected to be managed through the Find My app on iPhone, iPad, and Mac. Now, any user can get an early look at this tab. MacRumors reader David Chu today alerted us that the hidden "Items" tab in the Find My app can be enabled on an iPhone or iPad by typing in the link findmy://items in...
iphone x camera close

iOS 14.4 Will Introduce Warning on iPhones With Non-Genuine Cameras

Thursday January 14, 2021 8:07 am PST by
In the second beta of iOS 14.4 seeded to developers and public testers this week, MacRumors contributor Steve Moser has discovered code indicating that Apple will be introducing a new warning on iPhones that have had their camera repaired or replaced with aftermarket components rather than genuine Apple components. "Unable to verify this iPhone has a genuine Apple camera," the message will...
mac anti reflective coating issue

Apple's Anti-Reflective Coating Repair Program Still in Effect for Some MacBooks With New Mail-In Policy

Tuesday January 12, 2021 10:07 am PST by
In an internal memo obtained by MacRumors, Apple recently informed its network of Apple Authorized Service Providers that mail-in repair is now required for Mac notebooks with anti-reflective coating issues in the United States. The new policy went into effect January 4, 2021 and means that customers who take an eligible 12-inch MacBook or MacBook Pro exhibiting this issue to an Apple...
pioneer carplay wc5700nex

The Best Apple-Related Accessories at CES 2021

Wednesday January 13, 2021 1:16 pm PST by
CES 2021 is taking place digitally this year, and it hasn't been as exciting as in past years because many vendors have opted out. That said, some companies are still showing off some interesting Apple-related accessories that are coming out this year and that will be of interest to Mac, iPad, and iPhone users. Subscribe to the MacRumors YouTube channel for more videos. Pioneer Wireless...
Hue module dimmer switch

Philips Hue Announces New Wall Switch Module, Dimmer Switch, and Outdoor Light Bar

Thursday January 14, 2021 3:11 am PST by
Philips Hue has announced a new wireless dimmer switch module that lets Hue bridge owners directly control the smart lighting from their standard wall switches. The new Philips Hue wall switch module is the ideal addition to any Philips Hue set up. Installed behind existing light switches, it allows users to turn their existing switch into a smart switch and ensures their smart lighting is...
whatsapp wallpapers 1

WhatsApp Affirms User Privacy Following Backlash Over Data Sharing With Facebook

Tuesday January 12, 2021 6:39 am PST by
Following backlash after changing its terms and privacy policy to consolidate a significant amount of data sharing with Facebook, WhatsApp is now assuring users about the privacy measures built into its app. Last week, WhatsApp began informing users of updates to the app's terms of service and privacy policy. The updated agreements, which users must consent to in order to continue using...
apple racial equity justice initiative propel center render 01132021

Apple Launches New Nationwide Racial Equity and Justice Initiative Projects

Wednesday January 13, 2021 4:08 am PST by
Apple today announced a set of new projects as part of its $100 million Racial Equity and Justice Initiative (REJI) to help dismantle systemic barriers to opportunity and combat injustices faced by communities of color. Rendering of the Propel Center The projects include the Propel Center, a global innovation and learning hub for Historically Black Colleges and Universities (HBCUs), an Apple ...