Become a MacRumors Supporter for $25/year with no ads, private forums, and more!

MacRumors

macrumors bot
Original poster
Apr 12, 2001
54,622
16,778


Apple offers a bug bounty program that's designed to pay security researchers for discovering and reporting critical bugs in Apple operating systems, but researchers are not happy with how it operates or Apple's payouts in comparison to other major tech companies, reports The Washington Post.

apple-devices-security-bug-bounty-mac-iphone-ipad.jpg

In interviews with more than two dozen security researchers, The Washington Post collected a number of complaints. Apple is slow to fix bugs, and doesn't always pay out what's owed.

Apple in 2020 paid out $3.7 million, about half of the $6.7 million that Google paid to researchers, and far less than the $13.6 million Microsoft paid. While other companies like Facebook, Microsoft, and Google highlight security researchers that find major bugs and hold conferences and provide resources to encourage a wide range of participants, Apple does not do so.

Security researchers said that Apple limits feedback on which bugs will receive a bounty, and former and current Apple employees said there's a "massive backlog" of bugs that have yet to be addressed.

Apple's reluctance to be more open with security researchers has discouraged some researchers from providing flaws to Apple, with those researchers instead selling them to customers like government agencies or companies that offer up hacking services.

Apple's Head of Security Engineering and Architecture, Ivan Krstić, told The Washington Post that Apple feels the program has been a success, and that Apple has doubled the amount that it paid in bug bounties in 2020 compared to 2019. Apple is, however, still working to scale the program, and will offer new rewards in the future.
"We are also planning to introduce new rewards for researchers to keep expanding participation in the program, and we are continuing to investigate paths to offer new and even better research tools that meet our rigorous, industry-leading platform security model."
Luta Security founder Katie Moussouris told The Washington Post that Apple's poor reputation with the security community could in the future lead to "less secure products" and "more cost."

Apple's bug bounty program promises rewards ranging from $100,000 to $1,000,000, and Apple also provides some researchers with special iPhones dedicated to security research. These iPhones are less locked down than consumer devices and are designed to make it easier for security vulnerabilities and weaknesses to be unearthed.

Sam Curry, a security researcher that worked with Apple in 2020, said that he offered feedback to Apple and that he feels like the company is aware of how it's seen and "trying to move forward." According to The Washington Post, Apple this year hired a new leader for the bug bounty program, so it could soon see some improvements.

Article Link: Security Researchers Unhappy With Apple's Bug Bounty Program
 

Shirasaki

macrumors G5
May 16, 2015
12,078
6,146
Apple wants a more locked down system but reluctant to pay researchers that help achieving the goal. I have no idea what Apple is actually thinking now.

Maybe several high profile mass exploits would let Apple rethink their strategies. Or, maybe Apple just cave and build their own backdoors.

What a year we are living in.
 

gsurf123

macrumors 6502
Jun 1, 2017
278
446
None of us are aware of what is being submitted and if it is of any value. This is basically another attempt to raid Apple's wallet just like everyone else who is complaining.

If the system is so bad, just like the App Store is, then quit submitting bugs. Same goes for the App Store...stop developing products for it.
 

TheYayAreaLiving

macrumors demi-goddess
Jun 18, 2013
11,314
34,918
Las Vegas, Nevada, USA.
None of us are aware of what is being submitted and if it is of any value. This is basically another attempt to raid Apple's wallet just like everyone else who is complaining.

If the system is so bad, just like the App Store is, then quit submitting bugs. Same goes for the App Store...stop developing products for it.
These developers are trying to get paid.
 

Realityck

macrumors 68020
Nov 9, 2015
2,399
3,419
Silicon Valley, CA
Apple in 2020 paid out $3.7 million, about half of the $6.7 million that Google paid to researchers, and far less than the $13.6 million Microsoft paid. While other companies like Facebook, Microsoft, and Google highlight security researchers that find major bugs and hold conferences and provide resources to encourage a wide range of participants, Apple does not do so.
Oh come now, should we discuss how buggy MS OS patches are compared to Apple's? (you can't look at the dollar amount without counting the number of incidents).

I would agree on a equal reward footing irregardless of the OS being researched that the security bug bounties should be similar value to companies that want to know about these issues. Thats a reasonable expectation.
 

dguisinger

macrumors 65816
Jul 25, 2002
1,005
1,755
Good God, people are defending Apple on this one?

People are spending hundreds of hours of their own time (or thousands) searching for individual security holes and showing how to exploit them, and you think they don't deserve compensation (which is an industry norm at this point) for finding it and reporting it out to the vendor?

How many of you waste hundreds of hours doing what is basically your fulltime job without getting paid?
 

bousozoku

Moderator emeritus
Jun 25, 2002
14,542
614
Lard
Apple has always shown a great disdain for fixing problems until they become news. When they're on TV or in the newspapers, Apple runs to fix software problems.

They have great opportunities to make their software better, but they seem to have become Adobe in nature. They're so quick to consider new features, some of which may even be useful, that they don't consider fixing problems.
 

KaliYoni

macrumors 6502a
Feb 19, 2016
556
903
I think security-through-obscurity, as Apple tries to do, is an unsustainable security strategy. It leads to more zero day exploits and unpatched vulnerabilities.

Worse, it depends on near perfection from Apple's developers and QA team. It's pretty bloody obvious that Apple has been shipping software with glaring technical, security, and UI flaws for years now. Perfection is clearly unattainable for Apple.

So, come on Apple! Pay up. It will better for everybody.
 
Last edited:

bousozoku

Moderator emeritus
Jun 25, 2002
14,542
614
Lard
Oh come now, should we discuss how buggy MS OS patches are compared to Apple's? (you can't look at the dollar amount without counting the number of incidents).

I would agree on a equal reward footing irregardless of the OS being researched that the security bug bounties should be similar value to companies that want to know about these issues. Thats a reasonable expectation.
Microsoft is quick to patch things, often moving the problem, but never really making their software better.
 
  • Like
Reactions: Mrjetsondc

Robert.Walter

macrumors 68020
Jul 10, 2012
2,087
2,584
At this point I can accept no excuse or justification from apple for why it isn’t paying best in class bounties.

Slow to scale excuses arguments? Ridiculous.

Smaller than industry rewards? It’s literally a marketplace of exploits. Not every hacker is a white hat. Some are beyond US Justice, others it takes years to catch. When Apple isn’t the first stop for exploits, in such cases the damage is done by the time such holes are closed and the crooks caught.

For God’s sake, people have literally died and been hacked into pieces because of unpatched Apple bugs.

And in the meantime Apple wants us to put our medical histories, identification, house and office keys in our devices…

Yes we can blame NSO and FSB etc, but they are finding what is already there. There is no reason Apple couldn’t find most of it first if it doubled down on this.

Apple is the richest company in the history of humanity. It has the financial resources to rival some nation states. There is no traditional business barrier to Apple doing what it needs to here.

Not able to run a robust bug discovery program that draws the best and most submissions (and conversely staffing internally to handle these)? Apple is fully able.

There is no reason that the above can’t be solved. And at this point is only because of perceptual and cultural lag, possible arrogance, clear lack of CEO priority, and definite CFO cheapskatedness.

I might add it’s pretty glaring that attention and resources are lacking here even as Apple instead builds proof of concept golden keys inviting state coercion to expand their CSAM intrusion into other areas…
 
Last edited:
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.