Security Researchers Don't Think Apple Pays Enough for Bug Bounties

[MacRumors]

Apple's bug bounty program has been available to select security researchers for almost a year now, but according to a new report from Motherboard, most researchers prefer not to share bugs with Apple due to low payouts. More money can be obtained from third-party sources for bugs in Apple software.

"People can get more cash if they sell their bugs to others," said Nikias Bassen, a security researcher for the company Zimperium, and who joined Apple's program last year. "If you're just doing it for the money, you're not going to give [bugs] to Apple directly."

Motherboard spoke to several members of Apple's bug bounty program with the condition of anonymity. Every single one said they had yet to report a bug to Apple and did not know anyone who had. iOS bugs are "too valuable to report to Apple," according to Patrick Wardle, a Synack researcher and former NSA hacker who was invited to the bug bounty program last year.

Apple first introduced its bug bounty program in August of 2016 at the Black Hat Conference, an annual global InfoSec event. Apple offers bounties of up to $200,000 depending on the vulnerability. Secure boot firmware components earn $200,000 at the high end, while smaller vulnerabilities, like access from a sandboxed process to user data outside of the sandbox, will earn $25,000.

Article Link: Security Researchers Don't Think Apple Pays Enough for Bug Bounties

 

[ghostface147]

So pay up?

 

[826317]

Isn't this pointless though, I mean, if the person who found the bug is a bad guy he's not going to report it to Apple regardless.....

 

[Neepman]

Seems a fair amount. How much are they supposed to pay a bunch of guys in their jammies in their parents basement with one hand in their pants?

 

[jgelin]

Isn't this pointless though, I mean, if the person who found the bug is a bad guy he's not going to report it to Apple regardless.....

It isn’t about being a bad guy its about being compensated for your work. How much is your time worth? Would you sell it short just because it is the ‘proper’ channel? Most wouldn’t.

 

[modemthug]

Probably because Apple just hires the best people that will come work for them

Still, the biggest company in the world should pay the biggest bounties and get big results from people falling over themselves to find vulnerabilities

 

[macsrcool1234]

Seems a fair amount. How much are they supposed to pay a bunch of guys in their jammies in their parents basement with one hand in their pants?

A lot more considering they can just easily sell these exploits to people who can do a lot more damage with it for 5 times as much.....

 

[karmazynowy]

If you have personal data of a rich person (including credit card data) you will get more selling those data to the bad guys, than selling them to someone legally working (insurance company, yacht dealer etc). Does this mean you should always take bigger money and do not care who pays?

 

[826317]

It isn’t about being a bad guy its about being compensated for your work. How much is your time worth? Would you sell it short just because it is the ‘proper’ channel? Most wouldn’t.

Well if you do anything other than report it directly to Apple you're per definition a bad guy. As for the compensation, nobody made you mess around with Apple's systems, you decided to put your own time into it. So if you sell it to a bad
guy, it shows your morality and that you couldn't care less....

 

[Will.O.Bie]

So, it's not necessarily Apple's fault that their software has bugs, they are not aware of it coz of security software companies want more money? How can Apple fix something they don't know they have? In a sense, they are being held hostage by their own product. Kinda counter productive but understandable from a researcher's standpoint. I would want to be compensated fairly too for my work.

I don't know exactly what is the going rate for bugs and how they determine these market prices but if Apple were to pay more, it opens up the floodgates for exuberant price tags for bugs being discovered. If they do, guess what? Those prices will be reflected on an already expensive Apple products on the consumer level. We are already paying premium prices for Apple products. This will only drive the prices even higher if they give in.

So what is fair exactly?

 

[KALLT]

If you have personal data of a rich person (including credit card data) you will get more selling those data to the bad guys, than selling them to someone legally working (insurance company, yacht dealer etc). Does this mean you should always take bigger money and do not care who pays?

I think that is a good point. Apple doesn’t seem to be interested in a bidding war against the black market. They are just giving some compensation or modest reward for those people that want to do the right thing anyway.

 

[dogslobber]

It isn’t about being a bad guy its about being compensated for your work. How much is your time worth? Would you sell it short just because it is the ‘proper’ channel? Most wouldn’t.

$50k is actually an insult as your card is then marked from that moment forward. To be worth that hassle, the price should be more like $25m.

 

[zantafio]

they should multiply those bounties by 10 across the board, it's not like it's going to break the bank

 

[dogslobber]

So, it's not necessarily Apple's fault that their software has bugs, they are not aware of it coz of security software companies want more money? How can Apple fix something they don't know they have?

Eh? If what you're suggesting were true then perhaps they should improve their process to find the bugs internally to their org rather than leaving it to the external people.

 

[Will.O.Bie]

Eh? If what you're suggesting were true then perhaps they should improve their process to find the bugs internally to their org rather than leaving it to the external people.

I'm assuming you're a software developer. If you create a software and have beta testers test run it, you won't find all the bugs that will haunt your software. I would assume you would need a higher level of experts to find these bugs, hence the bounty program. I hear what you're saying about doing it internally. I question that very same sentiment all the time as why do they need testers when they can easily do it themselves. Good point!

 

[HiRez]

So the guys most likely to cash in these bounties think the bounties should be higher?

 

[trsblader]

The prices don't seem bad, and in fact seem pretty generous. I googled some other tech companies payouts and they are no where near Apple's.

Facebook claimed their largest payout ever was just $33,500. A bug that was reported that could unlock any user's account received just $15,000.

Microsoft's top payout is $30,000 with Google (apps such as gmail or YouTube specifically, not Android) just slightly up from there at $31,337. Unrestricted file system access that can lead to a google account takeover receives a max of $13,337 from Google.

For the Android part of Google, the top amount is $150-200k which is more on par with Apple.

I think the underground market will always pay more no matter what price Apple sets.

 

[lostngone]

Don't you mean extortion payouts?
.
Lets face it the only way a Blackhat is going to tell Apple about a exploit is if they are going to pay more than they can sell it for or if the exploit is small enough that it isn't worth anything.

 

[frumpy16]

Make selling vulnerabilities to third parties illegal and that will change the balance. Or, if you sell a vulnerability to a third party and that third party either exploits it or passes it onward to someone else that does, you are held liable for damages caused.

 

[Eorlas]

Seems a fair amount. How much are they supposed to pay a bunch of guys in their jammies in their parents basement with one hand in their pants?

The average salary for a Security Researcher is ~$110k. Companies have put down million dollar figures for the exploits necessary to create iOS jailbreaks. The FBI also spent a lot of money cracking into someone's iPhone a year or two ago.

Google pays huge bounties for major fixes just for bugs with Chrome. Cyber security is a massively ludicrous industry and you don't need a degree to be even slightly successful in it.

The guys with their jammies on and a hand in their pants are raking it in but they don't even need to come out of college with mortgage-sized debts to do it.

 

[AaronChamberlain]

Seems a fair amount. How much are they supposed to pay a bunch of guys in their jammies in their parents basement with one hand in their pants?

Clearly you don't know what a security research firm is. There are lots of companies these days that make all their profit by simply getting their employees to find bugs and report them to a company that pays up Facebook, Google, Apple, etc. It can sometimes take several months to find out how to reproduce a bug. So $200,000 for the worst kinds of bugs, honestly may not be enough for a company trying to pay salaries.

And look at what the other side of the coin is: someone finds a bug in the system, sells it to someone else, it causes havoc, and Apple loses Millions in stock losses.

 

[kdarling]

Wow.

Everyone misses the most important point. For instance, look at what the $100,000 offer is for.

Apparently Apple is not confident enough in the ability of the Secure Enclave to protect information, to boldly offer ten million dollars or even a lousy million to anyone who finds otherwise.

The relatively low amount they offer speaks volumes about their claims of unbreakable security.

Think about it. Being able to break the Secure Enclave would be worth many millions to criminals and governments alike.

If someone did find a way to say, access the file crypto keys, or change the TouchID stored templates, or get the key to talk to the payment processor.... then what the heck is Apple thinking offering so little, for something that could totally collapse consumer confidence in them ????

Talk about penny wise and pound foolish.

 

[SecuritySteve]

I've been reading some of the comments here, as a new security researcher I find that some of your comments are victim of misconceptions that might be easily cleared up with some insight. For example:

Seems a fair amount. How much are they supposed to pay a bunch of guys in their jammies in their parents basement with one hand in their pants?

For one, you might've been right if we were talking about security research from 20 years ago, when it wasn't taken so seriously. However, modern security research is a business in and of itself. It takes a lot of knowledge and training, but more importantly it takes resources. Most external security researchers will not have access to the source code of these applications or OS features that they are probing for vulnerabilities.

Most groups that actively search for vulnerabilities apply techniques like 'fuzzing' where they dedicate hardware to constantly throw input at an application or API until it breaks, and then the researcher figures out if that break is exploitable. These breaks appear in the forms of application crashes and kernel panics. Most kernel level vulnerabilities would sweep the top of the bounty range, since that would allow for access to a system beyond that of an administrator or super user. Getting back to the point, Apple Hardware does not exactly come cheap, and to compete with a lot of the top end researchers like Google's Project Zero, you're going to need a significant investment to even get started.

When any company considers how much to pay out, the company must analyze how frequently bugs are going to be discovered that are significant enough to be rewarded, how much a vulnerability in this particular application or device would be paid for to malicious actors, and what damage to the company would a complete outbreak of an exploit targeting your product would cause to the company's image. If vulnerabilities are going to be frequent, its best to not offer a bounty and to have a team work in-house to discover them - because you will be flooded by submissions from amateur researchers grabbing low-hanging fruit. If vulnerabilities are going to rare and deal high damage to the company's image, as is in Apple's case which champions their security, then the payout needs to be significant enough to compensate researchers for their investment of both time and resources.

I hope this clears things up for readers.

 

[KeanosMagicHat]

Considering the number of hacks that target iCloud specifically and the explicit Apple marketing of the service to customers, I agree $50K seems low for that category.

 

[Sasparilla]

Apple needs to adjust to market rates or above market rates (Apple can certainly afford it) to entice these folks in and lock their OS's and services down even further. Currently the 3 letter agencies and firms supporting despotic regimes (can cover alot can't it), don't want Apple raising those bounties...

Kick'm in the balls Apple, raise the rates and lock your vulnerabilities down further.