A new report from Motherboard today delves into some details regarding Apple’s bug bounty program, an intitative the company launched last year in hopes of encouraging security researching to submit “high-value” bugs in exchange for money. Today’s report, however, explains that the program isn’t taking off as fast as Apple had hoped…
Ecobee HomeKit Thermostat
At the time of announcement, Apple broke down the max payments as part of its bounty program:
- Secure boot firmware: $200,000
- Extraction of confidential material protected by the Secure Enclave Processor: $100,000
- Execution of arbitrary code w/kernel privs: $50,000
- Unauthorized access to iCloud account data on Apple Servers: $50,000
- Access from a sandboxed process to user data outside of that sandbox: $25,000
Motherboard’s report, however, explains that Apple isn’t paying researching nearly enough, as they can get considerably more for bugs from third-parties. Additionally, if researchers were to report some bugs they found, it could prevent them from doing further research.
“People can get more cash if they sell their bugs to others,” said Nikias Bassen, a security researcher for the company Zimperium, and who joined Apple’s program last year. “If you’re just doing it for the money, you’re not going to give [bugs] to Apple directly.”
Furthermore, the report notes that eight bug hunters said they had not submitted a bug to Apple’s bounty program, nor do the researchers themselves know of anyone who has submitted something to Apple.
Apple simply doesn’t seem to be paying researchers enough for the bugs. Motherboard says that in the current gray market, companies such as Zerodium buy exploits from researchers and see them to their customers, offering $1.5 million for a method “comprised of multiple bugs that can jailbreak the iPhone.” Another company, Exodus Intelligence, offers around $500,000 for similar exploits.
Both Zerodium and Exodus Intelligence claim to sell only to corporations, law enforcement, and intelligence agencies.
The report also notes of just how much effort Apple put into its bug bounty program, flying prominent researchers to Cupertino for closed-door meetings and schmoozing, only for the program to falter:
Apple pitched the researchers on collaborating with the company by joining the bug bounty program. Apple security employees gave presentations, took the researchers out for dinner, and gave them a chance to chat and discuss their work. Even Craig Federighi, Apple’s senior vice president of software engineering, made a surprise appearance to meet and greet the researchers, according to two sources who attended.
Whether or not Apple has any changes in mind for its bug bounty program remains to be seen. In the program’s current state, however, researchers are looking elsewhere for their payouts. Check out Motherboard’s full report for a deeper look at the program.