Security Researchers Unhappy With Apple's Bug Bounty Program
Apple offers a bug bounty program that's designed to pay security researchers for discovering and reporting critical bugs in Apple operating systems, but researchers are not happy with how it operates or Apple's payouts in comparison to other major tech companies, reports The Washington Post.
In interviews with more than two dozen security researchers, The Washington Post collected a number of complaints. Apple is slow to fix bugs, and doesn't always pay out what's owed.
Apple in 2020 paid out $3.7 million, about half of the $6.7 million that Google paid to researchers, and far less than the $13.6 million Microsoft paid. While other companies like Facebook, Microsoft, and Google highlight security researchers that find major bugs and hold conferences and provide resources to encourage a wide range of participants, Apple does not do so.
Security researchers said that Apple limits feedback on which bugs will receive a bounty, and former and current Apple employees said there's a "massive backlog" of bugs that have yet to be addressed.
Apple's reluctance to be more open with security researchers has discouraged some researchers from providing flaws to Apple, with those researchers instead selling them to customers like government agencies or companies that offer up hacking services.
Apple's Head of Security Engineering and Architecture, Ivan Krstić, told The Washington Post that Apple feels the program has been a success, and that Apple has doubled the amount that it paid in bug bounties in 2020 compared to 2019. Apple is, however, still working to scale the program, and will offer new rewards in the future.
"We are also planning to introduce new rewards for researchers to keep expanding participation in the program, and we are continuing to investigate paths to offer new and even better research tools that meet our rigorous, industry-leading platform security model."
Luta Security founder Katie Moussouris told The Washington Post that Apple's poor reputation with the security community could in the future lead to "less secure products" and "more cost."
Apple's bug bounty program promises rewards ranging from $100,000 to $1,000,000, and Apple also provides some researchers with special iPhones dedicated to security research. These iPhones are less locked down than consumer devices and are designed to make it easier for security vulnerabilities and weaknesses to be unearthed.
Sam Curry, a security researcher that worked with Apple in 2020, said that he offered feedback to Apple and that he feels like the company is aware of how it's seen and "trying to move forward." According to The Washington Post, Apple this year hired a new leader for the bug bounty program, so it could soon see some improvements.