Security Researchers Unhappy With Apple's Bug Bounty Program

Apple offers a bug bounty program that's designed to pay security researchers for discovering and reporting critical bugs in Apple operating systems, but researchers are not happy with how it operates or Apple's payouts in comparison to other major tech companies, reports The Washington Post.

apple devices security bug bounty mac iphone ipad
In interviews with more than two dozen security researchers, The Washington Post collected a number of complaints. Apple is slow to fix bugs, and doesn't always pay out what's owed.

Apple in 2020 paid out $3.7 million, about half of the $6.7 million that Google paid to researchers, and far less than the $13.6 million Microsoft paid. While other companies like Facebook, Microsoft, and Google highlight security researchers that find major bugs and hold conferences and provide resources to encourage a wide range of participants, Apple does not do so.

Security researchers said that Apple limits feedback on which bugs will receive a bounty, and former and current Apple employees said there's a "massive backlog" of bugs that have yet to be addressed.

Apple's reluctance to be more open with security researchers has discouraged some researchers from providing flaws to Apple, with those researchers instead selling them to customers like government agencies or companies that offer up hacking services.

Apple's Head of Security Engineering and Architecture, Ivan Krstić, told The Washington Post that Apple feels the program has been a success, and that Apple has doubled the amount that it paid in bug bounties in 2020 compared to 2019. Apple is, however, still working to scale the program, and will offer new rewards in the future.

"We are also planning to introduce new rewards for researchers to keep expanding participation in the program, and we are continuing to investigate paths to offer new and even better research tools that meet our rigorous, industry-leading platform security model."

Luta Security founder Katie Moussouris told The Washington Post that Apple's poor reputation with the security community could in the future lead to "less secure products" and "more cost."

Apple's bug bounty program promises rewards ranging from $100,000 to $1,000,000, and Apple also provides some researchers with special iPhones dedicated to security research. These iPhones are less locked down than consumer devices and are designed to make it easier for security vulnerabilities and weaknesses to be unearthed.

Sam Curry, a security researcher that worked with Apple in 2020, said that he offered feedback to Apple and that he feels like the company is aware of how it's seen and "trying to move forward." According to The Washington Post, Apple this year hired a new leader for the bug bounty program, so it could soon see some improvements.

Top Rated Comments

TheYayAreaLiving Avatar
2 weeks ago
I don't think anyone is happy with Apple. Apple needs to step it up.

Security, privacy and being able to fix bugs should be the top priority for Apple.
Score: 26 Votes (Like | Disagree)
rgeneral Avatar
2 weeks ago
In today's world, security should be given the highest priority like the design of products.
Score: 24 Votes (Like | Disagree)
Shirasaki Avatar
2 weeks ago
Apple wants a more locked down system but reluctant to pay researchers that help achieving the goal. I have no idea what Apple is actually thinking now.

Maybe several high profile mass exploits would let Apple rethink their strategies. Or, maybe Apple just cave and build their own backdoors.

What a year we are living in.
Score: 23 Votes (Like | Disagree)
dguisinger Avatar
2 weeks ago
Good God, people are defending Apple on this one?

People are spending hundreds of hours of their own time (or thousands) searching for individual security holes and showing how to exploit them, and you think they don't deserve compensation (which is an industry norm at this point) for finding it and reporting it out to the vendor?

How many of you waste hundreds of hours doing what is basically your fulltime job without getting paid?
Score: 21 Votes (Like | Disagree)
xxray Avatar
2 weeks ago
Who isn't unhappy with Apple lately? Rough year for the McIntosh.
Score: 17 Votes (Like | Disagree)
Spizike9 Avatar
2 weeks ago
It’s very simple. If you don’t like the way Apple does it then don’t find their bugs. Eventually there will be some bad exploits and Apple will start paying more for the good guys to find their flaws.
Score: 17 Votes (Like | Disagree)

Top Stories

corellium

Apple and Corellium Agree on Settlement to Bring Lawsuit to an End

Tuesday August 10, 2021 11:36 pm PDT by
Apple this week dropped its long-standing lawsuit against Corellium, the security research company that provides security researchers with a replica of the iOS operating system, allowing them to locate possible security exploits within Apple's mobile operating system, The Washington Post reports. Apple filed a lawsuit against Corellium in 2019, claiming the security company was infringing...
applesecuritydevice

Apple Sending Special iPhones to First Participants in Security Research Device Program

Tuesday December 22, 2020 4:40 pm PST by
Apple in July announced the launch of a new Apple Security Research Device Program, which is designed to provide researchers with specially-configured iPhones that are equipped with unique code execution and containment policies to support security research. Apple is notifying the first researchers who will be receiving these special iPhones as of today, and the Cupertino company says that...
corellium

Apple Appeals Corellium Copyright Lawsuit Loss After Settling Other Claims

Tuesday August 17, 2021 7:23 pm PDT by
Back in December, Apple lost a copyright lawsuit against security research company Corellium, and today, Apple filed an appeal in that case, reports Reuters. The judge in the copyright case determined that Corellium was operating under fair use terms and that its use of iOS was permissible, throwing out several of Apple's claims. For those unfamiliar with Corellium, the software is designed...
appleprivacyad

Corellium Launching New Initiative to Hold Apple Accountable Over CSAM Detection Security and Privacy Claims

Tuesday August 17, 2021 1:35 am PDT by
Security research firm Corellium this week announced it is launching a new initiative that will "support independent public research into the security and privacy of mobile applications," and one of the initiative's first projects will be Apple's recently announced CSAM detection plans. Since its announcement earlier this month, Apple's plan to scan iPhone users' photo libraries for CSAM or...
tim cook privacy

Apple Not Trying Hard Enough to Protect Users Against Surveillance, Researchers Say

Friday July 23, 2021 6:46 am PDT by
Following the news of widespread commercial hacking spyware on targeted iPhones, a large number of security researchers are now saying that Apple could do more to protect its users (via Wired). Earlier this week, it was reported that journalists, lawyers, and human rights activists around the world had been targeted by governments using phone malware made by the surveillance firm NSO Group...
Child Safety Feature Blue

Apple Delays Rollout of Controversial Child Safety Features to Make Improvements

Friday September 3, 2021 6:07 am PDT by
Apple has delayed the rollout of the Child Safety Features that it announced last month following negative feedback, the company has today announced. The planned features include scanning users' iCloud Photos libraries for Child Sexual Abuse Material (CSAM), Communication Safety to warn children and their parents when receiving or sending sexually explicit photos, and expanded CSAM guidance...
Child Safety Feature Blue

Apple Says NeuralHash Tech Impacted by 'Hash Collisions' Is Not the Version Used for CSAM Detection

Wednesday August 18, 2021 1:13 pm PDT by
Developer Asuhariet Yvgar this morning said that he had reverse-engineered the NeuralHash algorithm that Apple is using to detect Child Sexual Abuse Materials (CSAM) in iCloud Photos, posting evidence on GitHub and details on Reddit. Yvgar said that he reverse-engineered the NeuralHash algorithm from iOS 14.3, where the code was hidden, and he rebuilt it in Python. After he uploaded his...
chinafoxconn

Apple Plans to Develop Program to Improve Supply Chain Security

Wednesday August 25, 2021 3:53 pm PDT by
Apple CEO Tim Cook this morning attended a cybersecurity meeting with U.S. President Joe Biden and executives from other tech companies like Microsoft, Google, and Amazon. Following the summit, the White House said that the companies in attendance pledged their help to bolster U.S. cybersecurity efforts, with Apple planning to develop a program to make security improvements across its...
corellium

Apple Loses Copyright Claims in Lawsuit Against Corellium

Tuesday December 29, 2020 11:12 am PST by
Corellium, a mobile device company that supports iOS, this week won a significant victory in its legal battle against Apple. Apple last year sued Corellium for copyright infringement because the Corellium software is designed to replicate iOS to allow security researchers to locate bugs and security flaws. According to The Washington Post, a Florida judge threw out Apple's claims that...
iOS 14 on iPhone feature emergency

Apple Releases iOS 14.8 and iPadOS 14.8 With Security Updates

Monday September 13, 2021 9:57 am PDT by
Apple today released iOS 14.8, marking the eighth major update to the iOS operating system that came out in September 2020. iOS 14.8 comes two months after the release of iOS 14.7, an update that introduced MagSafe Battery Pack support. The iOS 14.8 update can be downloaded for free and the software is available on all eligible devices over-the-air in the Settings app. To access the new...