Security Researchers Unhappy With Apple's Bug Bounty Program

Apple offers a bug bounty program that's designed to pay security researchers for discovering and reporting critical bugs in Apple operating systems, but researchers are not happy with how it operates or Apple's payouts in comparison to other major tech companies, reports The Washington Post.

apple devices security bug bounty mac iphone ipad
In interviews with more than two dozen security researchers, The Washington Post collected a number of complaints. Apple is slow to fix bugs, and doesn't always pay out what's owed.

Apple in 2020 paid out $3.7 million, about half of the $6.7 million that Google paid to researchers, and far less than the $13.6 million Microsoft paid. While other companies like Facebook, Microsoft, and Google highlight security researchers that find major bugs and hold conferences and provide resources to encourage a wide range of participants, Apple does not do so.

Security researchers said that Apple limits feedback on which bugs will receive a bounty, and former and current Apple employees said there's a "massive backlog" of bugs that have yet to be addressed.

Apple's reluctance to be more open with security researchers has discouraged some researchers from providing flaws to Apple, with those researchers instead selling them to customers like government agencies or companies that offer up hacking services.

Apple's Head of Security Engineering and Architecture, Ivan Krstić, told The Washington Post that Apple feels the program has been a success, and that Apple has doubled the amount that it paid in bug bounties in 2020 compared to 2019. Apple is, however, still working to scale the program, and will offer new rewards in the future.

"We are also planning to introduce new rewards for researchers to keep expanding participation in the program, and we are continuing to investigate paths to offer new and even better research tools that meet our rigorous, industry-leading platform security model."

Luta Security founder Katie Moussouris told The Washington Post that Apple's poor reputation with the security community could in the future lead to "less secure products" and "more cost."

Apple's bug bounty program promises rewards ranging from $100,000 to $1,000,000, and Apple also provides some researchers with special iPhones dedicated to security research. These iPhones are less locked down than consumer devices and are designed to make it easier for security vulnerabilities and weaknesses to be unearthed.

Sam Curry, a security researcher that worked with Apple in 2020, said that he offered feedback to Apple and that he feels like the company is aware of how it's seen and "trying to move forward." According to The Washington Post, Apple this year hired a new leader for the bug bounty program, so it could soon see some improvements.

Top Rated Comments

TheYayAreaLiving ? Avatar
9 months ago
I don't think anyone is happy with Apple. Apple needs to step it up.

Security, privacy and being able to fix bugs should be the top priority for Apple.
Score: 26 Votes (Like | Disagree)
rgeneral Avatar
9 months ago
In today's world, security should be given the highest priority like the design of products.
Score: 24 Votes (Like | Disagree)
Shirasaki Avatar
9 months ago
Apple wants a more locked down system but reluctant to pay researchers that help achieving the goal. I have no idea what Apple is actually thinking now.

Maybe several high profile mass exploits would let Apple rethink their strategies. Or, maybe Apple just cave and build their own backdoors.

What a year we are living in.
Score: 23 Votes (Like | Disagree)
dguisinger Avatar
9 months ago
Good God, people are defending Apple on this one?

People are spending hundreds of hours of their own time (or thousands) searching for individual security holes and showing how to exploit them, and you think they don't deserve compensation (which is an industry norm at this point) for finding it and reporting it out to the vendor?

How many of you waste hundreds of hours doing what is basically your fulltime job without getting paid?
Score: 21 Votes (Like | Disagree)
xxray Avatar
9 months ago
Who isn't unhappy with Apple lately? Rough year for the McIntosh.
Score: 17 Votes (Like | Disagree)
Spizike9 Avatar
9 months ago
It’s very simple. If you don’t like the way Apple does it then don’t find their bugs. Eventually there will be some bad exploits and Apple will start paying more for the good guys to find their flaws.
Score: 17 Votes (Like | Disagree)

Related Stories

safari icon blue banner

Safari Bug Allows Websites to Track Your Recent Browsing Activity in Real Time [Updated]

Sunday January 16, 2022 3:37 pm PST by
A bug in WebKit's implementation of a JavaScript API called IndexedDB can reveal your recent browsing history and even your identity, according to a blog post shared on Friday by browser fingerprinting service FingerprintJS. In a nutshell, the bug allows any website that uses IndexedDB to access the names of IndexedDB databases generated by other websites during a user's browsing session....
iOS App Store General Feature JoeBlue

Upcoming EU Sideloading Bill Would 'Cripple the Privacy and Security Protections' iPhone Users Expect, Says Apple

Thursday March 17, 2022 10:38 am PDT by
The European Union is set to introduce new legislation as soon as this month that would significantly affect how the App Store operates in Europe, reports The Wall Street Journal. The Digital Markets Act has been in development for some time and the finalized version that could be completed as soon as this month will allow for sideloading and alternate app store options. Apple will be...
corellium

Apple and Corellium Agree on Settlement to Bring Lawsuit to an End

Tuesday August 10, 2021 11:36 pm PDT by
Apple this week dropped its long-standing lawsuit against Corellium, the security research company that provides security researchers with a replica of the iOS operating system, allowing them to locate possible security exploits within Apple's mobile operating system, The Washington Post reports. Apple filed a lawsuit against Corellium in 2019, claiming the security company was infringing...
powerdir exploit microsoft

Microsoft Discovered New 'Powerdir' macOS Vulnerability, Fixed in 12.1 Update

Monday January 10, 2022 9:17 am PST by
Microsoft's 365 Defender Research Team this morning published details on a new "Powerdir" macOS vulnerability that let an attacker bypass the Transparency, Consent, and Control technology to gain unauthorized access to protected data. Apple already addressed the CVE-2021-30970 vulnerability in the macOS Monterey 12.1 update that was released in December, so users who have updated to the...
apple logo us flag smooth

Apple to Attend White House Meeting to Discuss Security Risks of Open-Source Software

Thursday January 13, 2022 5:10 am PST by
Apple will be among several U.S. tech giants to attend a meeting at the White House today to discuss cybersecurity and possible security threats posed by open-source software, Reuters reports. The meeting will be held by U.S. National Security Advisor Jake Sullivan and will focus on "concerns around the security of open-source software and how it can be improved." The meeting was prompted by ...
corellium

Apple Appeals Corellium Copyright Lawsuit Loss After Settling Other Claims

Tuesday August 17, 2021 7:23 pm PDT by
Back in December, Apple lost a copyright lawsuit against security research company Corellium, and today, Apple filed an appeal in that case, reports Reuters. The judge in the copyright case determined that Corellium was operating under fair use terms and that its use of iOS was permissible, throwing out several of Apple's claims. For those unfamiliar with Corellium, the software is designed...
iPhone 13 Security

Apple Apologizes to Researcher for Ignoring iOS Vulnerabilities, Says It's 'Still Investigating'

Monday September 27, 2021 12:55 pm PDT by
Last week, security researcher Denis Tokarev made several zero-day iOS vulnerabilities public after he said that Apple had ignored his reports and had failed to fix the issues for several months. Tokarev today told Motherboard that Apple got in touch after he went public with his complaints and after they saw significant media attention. In an email, Apple apologized for the contact delay...
tim cook privacy

Apple Not Trying Hard Enough to Protect Users Against Surveillance, Researchers Say

Friday July 23, 2021 6:46 am PDT by
Following the news of widespread commercial hacking spyware on targeted iPhones, a large number of security researchers are now saying that Apple could do more to protect its users (via Wired). Earlier this week, it was reported that journalists, lawyers, and human rights activists around the world had been targeted by governments using phone malware made by the surveillance firm NSO Group...

Popular Stories

iPhone 14 Pro Purple Front and Back MacRumors Exclusive

iPhone 14 Pro Renders Highlight Multiple Design Changes

Wednesday May 25, 2022 8:56 am PDT by
Leaker Jon Prosser today shared ostensibly accurate renders of the iPhone 14 Pro, providing the most accurate look yet at what the device could look like when it launches later this year. In the latest video on YouTube channel Front Page Tech, Prosser revealed renders of the iPhone 14 Pro made by Apple concept graphic designer Ian Zelbo, highlighting a range of specific design changes...
iPad Pro USB C Feature Coral

Deals: Apple's iPad Pro Reaches Up to $449 Off in Amazon's Latest Sales

Wednesday May 25, 2022 10:09 am PDT by
Amazon is marking down a wide variety of 11-inch and 12.9-inch iPad Pro models this week, with prices starting as low as $749.00 for the 11-inch tablet. You'll find the full list of sales below, all of which can be found on Amazon. Note: MacRumors is an affiliate partner with some of these vendors. When you click a link and make a purchase, we may receive a small payment, which helps us keep...
apple account card

Wallet App Now Supports Apple Account Cards on iOS 15.5

Wednesday May 25, 2022 5:01 pm PDT by
Apple appears to have recently updated the Wallet app to allow users to add an Apple Account Card, which displays the Apple credit balance associated with an Apple ID. If you receive an App Store or Apple Store gift card, for example, it is added to an Apple Account that was previously visible in the App Store and Apple Store apps. As of today, the Apple Account balance can also be added to...
iphone 13 pro max display bleen

iPhone 14 Max Reportedly Weeks Behind Schedule [Updated]

Thursday May 26, 2022 7:25 am PDT by
The iPhone 14 Max is currently behind schedule by around three weeks, according to Haitong International Securities analyst Jeff Pu. Yesterday, Nikkei Asia reported that at least one iPhone 14 model was three weeks behind schedule due to the impact of lockdowns on Apple's supply chains in China, but it was not clear which iPhone 14 model this related to. Now, Pu has clarified that the model...
iPhone 13 Always On Feature

iPhone 14 Pro Screen Refresh Rate Upgrade Could Allow for Always-On Display

Tuesday May 24, 2022 7:23 am PDT by
Last year's iPhone 13 Pro models were the first of Apple's smartphones to come with 120Hz ProMotion displays, and while the two iPhone 14 Pro models will continue to feature the technology, their screens could well boast expanded refresh rate variability this time round. To bring ProMotion displays to the ‌iPhone 13 Pro models‌, Apple adopted LTPO panel technology with variable refresh...
Apple Tap to Pay iPhone

Apple Stores Rolling Out iPhone-to-iPhone Contactless Payments Starting Today

Wednesday May 25, 2022 6:54 am PDT by
Apple in February unveiled a new "Tap to Pay on iPhone" feature that will allow compatible iPhones to accept payments via Apple Pay, contactless credit and debit cards, and other digital wallets, with no additional hardware required. Apple began testing the feature at its Apple Park Visitor Center earlier this month, and now Bloomberg's Mark Gurman has tweeted that the feature will begin...
apple tv 4k design green

Apple Releases tvOS 15.5.1 for Apple TV HD and Apple TV 4K

Wednesday May 25, 2022 9:42 am PDT by
Apple today released tvOS 15.5.1, a minor update to the tvOS operating system that first launched in September 2021. tvOS 15.5.1 comes about 10 days after the launch of tvOS 15.5. tvOS 15.5.1 can be downloaded over the air on the Apple TV through the Settings app by going to System > Software Update. ‌‌‌‌‌‌Apple TV‌‌‌‌‌‌ owners who have automatic software updates...