Security Researchers Don't Think Apple Pays Enough for Bug Bounties

Apple's bug bounty program has been available to select security researchers for almost a year now, but according to a new report from Motherboard, most researchers prefer not to share bugs with Apple due to low payouts. More money can be obtained from third-party sources for bugs in Apple software.

applebugbounty

"People can get more cash if they sell their bugs to others," said Nikias Bassen, a security researcher for the company Zimperium, and who joined Apple's program last year. "If you're just doing it for the money, you're not going to give [bugs] to Apple directly."

Motherboard spoke to several members of Apple's bug bounty program with the condition of anonymity. Every single one said they had yet to report a bug to Apple and did not know anyone who had. iOS bugs are "too valuable to report to Apple," according to Patrick Wardle, a Synack researcher and former NSA hacker who was invited to the bug bounty program last year.

Apple first introduced its bug bounty program in August of 2016 at the Black Hat Conference, an annual global InfoSec event. Apple offers bounties of up to $200,000 depending on the vulnerability. Secure boot firmware components earn $200,000 at the high end, while smaller vulnerabilities, like access from a sandboxed process to user data outside of the sandbox, will earn $25,000.

Top Rated Comments

macsrcool1234 Avatar
52 months ago
Seems a fair amount. How much are they supposed to pay a bunch of guys in their jammies in their parents basement with one hand in their pants?
A lot more considering they can just easily sell these exploits to people who can do a lot more damage with it for 5 times as much.....
Score: 22 Votes (Like | Disagree)
SecuritySteve Avatar
52 months ago
I've been reading some of the comments here, as a new security researcher I find that some of your comments are victim of misconceptions that might be easily cleared up with some insight. For example:

Seems a fair amount. How much are they supposed to pay a bunch of guys in their jammies in their parents basement with one hand in their pants?
For one, you might've been right if we were talking about security research from 20 years ago, when it wasn't taken so seriously. However, modern security research is a business in and of itself. It takes a lot of knowledge and training, but more importantly it takes resources. Most external security researchers will not have access to the source code of these applications or OS features that they are probing for vulnerabilities.

Most groups that actively search for vulnerabilities apply techniques like 'fuzzing' where they dedicate hardware to constantly throw input at an application or API until it breaks, and then the researcher figures out if that break is exploitable. These breaks appear in the forms of application crashes and kernel panics. Most kernel level vulnerabilities would sweep the top of the bounty range, since that would allow for access to a system beyond that of an administrator or super user. Getting back to the point, Apple Hardware does not exactly come cheap, and to compete with a lot of the top end researchers like Google's Project Zero, you're going to need a significant investment to even get started.

When any company considers how much to pay out, the company must analyze how frequently bugs are going to be discovered that are significant enough to be rewarded, how much a vulnerability in this particular application or device would be paid for to malicious actors, and what damage to the company would a complete outbreak of an exploit targeting your product would cause to the company's image. If vulnerabilities are going to be frequent, its best to not offer a bounty and to have a team work in-house to discover them - because you will be flooded by submissions from amateur researchers grabbing low-hanging fruit. If vulnerabilities are going to rare and deal high damage to the company's image, as is in Apple's case which champions their security, then the payout needs to be significant enough to compensate researchers for their investment of both time and resources.

I hope this clears things up for readers.
Score: 20 Votes (Like | Disagree)
trsblader Avatar
52 months ago
The prices don't seem bad, and in fact seem pretty generous. I googled some other tech companies payouts and they are no where near Apple's.

Facebook claimed their largest payout ever was just $33,500. A bug that was reported that could unlock any user's account received just $15,000.

Microsoft's top payout is $30,000 with Google (apps such as gmail or YouTube specifically, not Android) just slightly up from there at $31,337. Unrestricted file system access that can lead to a google account takeover receives a max of $13,337 from Google.

For the Android part of Google, the top amount is $150-200k which is more on par with Apple.

I think the underground market will always pay more no matter what price Apple sets.
Score: 15 Votes (Like | Disagree)
826317 Avatar
52 months ago
It isn’t about being a bad guy its about being compensated for your work. How much is your time worth? Would you sell it short just because it is the ‘proper’ channel? Most wouldn’t.
Well if you do anything other than report it directly to Apple you're per definition a bad guy. As for the compensation, nobody made you mess around with Apple's systems, you decided to put your own time into it. So if you sell it to a bad
guy, it shows your morality and that you couldn't care less....
Score: 10 Votes (Like | Disagree)
HiRez Avatar
52 months ago
So the guys most likely to cash in these bounties think the bounties should be higher?
Score: 10 Votes (Like | Disagree)
ddurkee Avatar
52 months ago
It isn’t about being a bad guy its about being compensated for your work. How much is your time worth? Would you sell it short just because it is the ‘proper’ channel? Most wouldn’t.
If you're going to be honest here, the choice is selling it to Apple or selling it to criminals, for use in criminal activities.
Score: 10 Votes (Like | Disagree)

Top Stories

macbook air orange

Apple Developing a Whole New Kind of MacBook Air

Monday June 21, 2021 2:15 am PDT by
Apple is believed to be working on a completely new, high-end version of the MacBook Air, according to recent reports. Bloomberg's Mark Gurman, who often reveals accurate insights into Apple's plans, has repeatedly discussed the company's work on a high-end MacBook Air. Apple analyst Ming-Chi Kuo and leaker Jon Prosser have also referred to a similar MacBook Air model. The high-end...
iOS 15 Users Underwhelmed Feature

Users Underwhelmed by iOS 15 and iPadOS 15, Survey Suggests

Monday June 21, 2021 7:17 am PDT by
Users appear to be underwhelmed by Apple's upcoming iOS 15 and iPadOS 15 updates, according to the findings of a new survey by SellCell. The survey asked 3,000 iPhone and iPad users, evenly split between men and women, aged 18 or over in the United States, what they thought of iOS 15, iPadOS 15, and the naming of the upcoming iPhone 13 lineup. Over 50 percent of all of the survey's...
purple iphone 12 and 12 mini

iPhone 12 Mini Production Reportedly Ended Earlier Than Expected Due to Relatively Low Sales

Monday June 21, 2021 7:07 am PDT by
Following widespread reports that the iPhone 12 mini has experienced poor sales performance, at least relative to other iPhone 12 models, Taiwanese research firm TrendForce today claimed that production of the device has already ended. According to TrendForce, the iPhone 12 mini "reached End-of-Life ahead of time" during the second quarter of 2021, suggesting that Apple will focus on selling ...
Dark Sky App Featured

Apple Updates Dark Sky Weather App With Apple Watch Improvements and More

Tuesday June 22, 2021 11:58 am PDT by
Apple today updated the Dark Sky weather app for the first time since November with improved VoiceOver support and other bug fixes and performance improvements. In addition, Dark Sky complications on the Apple Watch now update more frequently. The full release notes for Dark Sky version 6.8.6:• Improved VoiceOver support • Complications on Apple Watch update more frequently •...
iPhone 12 v Android 2020

Apple Executive Says Users Who Want App Sideloading Already Have That Option With Other Platforms

Wednesday June 23, 2021 5:07 am PDT by
Apple earlier today published a detailed report outlining in blatant terms the negative impact that sideloading would have on the iPhone and iPad, specifically calling out the impacts it would have on user privacy and security. Now, the company is continuing its PR push, with an executive noting in an interview that users who wish to sideload apps already have that option thanks to other...
iOS Spam Calendar Feature

iCloud Users Continue to Be Plagued by Calendar Spam

Monday June 21, 2021 8:51 am PDT by
Despite previous attempts to put the situation at rest, some iCloud users continue to experience spam calendar invitations, causing their calendars to be filled with random events. The situation received widespread coverage in 2016, where Apple said that it was "actively working to address this issue" by "identifying and blocking suspicious senders." Victims are targeted in various ways. The ...
primeday2020 feature3

Amazon Prime Day: The Best Apple Deals

Monday June 21, 2021 6:15 am PDT by
Amazon's annual Prime Day event has officially kicked off today, beginning 48 hours of discounts, offers, and tons of savings across Amazon's storefront. This includes everything from home electronics to clothing, jewelry, video games, movies, and much more. Note: MacRumors is an affiliate partner with these vendors. When you click a link and make a purchase, we may receive a small payment,...
ios wifi settings

iOS Bug Causes Specific Network Name to Disable Wi-Fi on iPhones

Sunday June 20, 2021 4:15 am PDT by
A wireless network naming bug has been discovered in iOS that effectively disables an iPhone's ability to connect to Wi-Fi. Security researcher Carl Schou found that after joining a Wi-Fi network with the name "%p%s%s%s%s%n" his iPhone's Wi-Fi functionality was left "permanently disabled." Changing a hotspot's SSID did nothing to correct the problem, with even a reboot failing to make a...
iphone 13 lineup dummy models

iPhone 13 Dummy Models Depict Repositioned Camera Modules

Wednesday June 23, 2021 4:12 am PDT by
New alleged dummy models of the upcoming iPhone 13, shared by leaker Sonny Dickson on Twitter, depict a modified camera layout on the standard iPhone 13 and iPhone 13 mini, with two lenses in a diagonal arrangement rather than the vertical arrangement seen on the iPhone 12 models. The dummy models generally line up with iPhone 13 schematics previously seen by MacRumors, which showed that the ...
iphone 13 yellow

TrendForce: iPhone 13 Lineup Will Remain Limited to Maximum 512GB of Storage

Monday June 21, 2021 6:33 am PDT by
Apple will likely unveil its next-generation "iPhone 12s" or "iPhone 13" lineup in around two and a half months from now, and ahead of time, Taiwanese research firm TrendForce has outlined its expectations for the devices. A summary of TrendForce's expectations:Apple will unveil four new iPhones in September, including a mini model, a standard model, and two Pro models. September is the...