Apple announced a major expansion to its bug bounty program in 2019, offering higher payouts to researchers, Mac support, dedicated developer devices, and more. Two years later, Apple is calling the revamped bug bounty program a “runaway success,” while a report from the Washington Post says security researchers are “fed up” with the program.
The report includes a notable story from Tian Zhang, an iOS software engineer, who claims to have submit multiple bugs to Apple and never received a payment. In fact, Zhang says he was kicked out of the Apple Developer Program instead:
Tian Zhang, an iOS software engineer, first reported a bug to Apple in 2017. After months of waiting for Apple to fix the bug, Zhang lost patience and decided to blog about his discovery. The second time he reported a security flaw, he says Apple fixed it but ignored him. In July, Zhang submitted another bug to Apple that he says was eligible for a reward. The software was quickly fixed, but Zhang didn’t receive a reward. Instead, he was kicked out of the Apple Developer Program. Membership in the program is required to be able to submit apps to the App Store. Apple did not comment on Zhang’s allegations.
A handful of similar stories are cited in the report from the Washington Post, including researchers who say Apple takes too long to complete payouts and say rivals like Facebook and Microsoft operate better bug bounty programs. Google ($6.7 million in 2020) and Microsoft ($13.6 million) have also paid more than Apple ($3.7 million).
The report also points out that Apple has a “massive backlog of bugs it hasn’t fixed,” citing anonymous sources:
Payment amounts aren’t the only factor for success, however. The best programs support open conversations between the hackers and the company. Apple, already known for being tight-lipped, limits communication and feedback on why it chooses to pay or not pay for a bug, according to security researchers who have submitted bugs to the bounty program and a former employee who spoke on the condition of anonymity because of a nondisclosure agreement.
Apple also has a massive backlog of bugs that it hasn’t fixed, according to the former employee and a current employee, who also spoke on the condition of anonymity because of an NDA.
In a statement, Ivan Krstić, head of Apple Security Engineering and Architecture, said that the bug bounty program has been a “runaway success” so far, and that Apple is working hard to “scale the program.”
“The Apple Security Bounty program has been a runaway success,” Ivan Krstić, head of Apple Security Engineering and Architecture, said in an emailed statement. Apple has nearly doubled the amount it has paid in bug bounties this year compared to last, and it leads the industry in the average amount paid per bounty, he said.
“We are working hard to scale the program during its dramatic growth, and we will continue to offer top rewards to security researchers working with us side by side to protect our users and their data on more than a billion Apple devices around the world,” he added.
One tidbit in today’s report is that Apple has apparently hired “a new leader for its bug bounty program” this year, with the “goal of reforming it.” That person reportedly works under Krstić, but Apple would not provide more details.
The full report at the Washington Post is well worth a read and can be found here.
FTC: We use income earning auto affiliate links. More.