There is nothing new when it comes to bug bounty programs and all big companies initiate such programs for trying to ensure that hackers come to them with bugs that they can fix rather than letting them to exploit those bugs. Apple also launched such a program last year.
Back then, Apple announced the money that they were ready to pay for the bugs that were spotted and reported to them but a new report from Motherboard suggested that people who are finding bugs in Apple’s products are not simply reporting them back to Apple.
The apparent reason is that the company isn’t paying high enough. When the bug bounty program was first announced, Apple had outlined the amounts that researchers might expect for reporting bugs back to Apple and the amounts mentioned were as under:
- $200,000 for Secure boot firmware
- $100,000 for extracting confidential material that is protected by Secure Enclave Processor
- $50,000 for executing arbitrary code w/kernel privs
- $50,000 for accessing data on some iCloud account without authorization
- $25,000 for accessing user data present outside a sandbox through sandboxed process
These sums, apparently, do not seem to cut it when researchers can easily get $500,000 – or even up to $1.5 million sometimes –for the discoveries they make. It is not just about money either as some researchers say that if they decide to report the bugs to apple then Apple may stop them from continuing with their work on those discovered bugs.
According to NikiasBassen, who is security researcher at Zimperium and last year joined the bug bounty program from Apple as well, one can get a lot more cash just by selling the discovered bugs to someone else. And, if someone is doing all this research for money then they can’t be expected to report the bugs to Apple directly. Even Zimperium buys and sells exploits to its customers and the amounts they usually collect for these bugs go as high as $1.5 million for methods that can be used for jailbreaking iPhone, for instance. Probably, most people won’t turn such an offer down.
There are reports that contacting 8 bug hunters revealed that none of them reported the bugs back to Apple and they didn’t even knew of somebody who had. So, if Apple has to turn things in its favor then it will have to raise its bounties in future for the program to work.