Security Researchers Don't Think Apple Pays Enough for Bug Bounties

by

Apple's bug bounty program has been available to select security researchers for almost a year now, but according to a new report from Motherboard, most researchers prefer not to share bugs with Apple due to low payouts. More money can be obtained from third-party sources for bugs in Apple software.

applebugbounty

"People can get more cash if they sell their bugs to others," said Nikias Bassen, a security researcher for the company Zimperium, and who joined Apple's program last year. "If you're just doing it for the money, you're not going to give [bugs] to Apple directly."

Motherboard spoke to several members of Apple's bug bounty program with the condition of anonymity. Every single one said they had yet to report a bug to Apple and did not know anyone who had. iOS bugs are "too valuable to report to Apple," according to Patrick Wardle, a Synack researcher and former NSA hacker who was invited to the bug bounty program last year.

Apple first introduced its bug bounty program in August of 2016 at the Black Hat Conference, an annual global InfoSec event. Apple offers bounties of up to $200,000 depending on the vulnerability. Secure boot firmware components earn $200,000 at the high end, while smaller vulnerabilities, like access from a sandboxed process to user data outside of the sandbox, will earn $25,000.

Tags: Apple Security, Bug Bounty

Popular Stories

New Things Your iPhone Can Do in iOS 18

20 New Things Your iPhone Can Do in iOS 18.2

Monday December 16, 2024 8:55 am PST by
Apple released iOS 18.2 in the second week of December, bringing the second round of Apple Intelligence features to iPhone 15 Pro and iPhone 16 models. This update brings several major advancements to Apple's AI integration, including completely new image generation tools and a range of Visual Intelligence-based enhancements. Apple has added a handful of new non-AI related feature controls as...
Read Full Article28 comments
iphone 16 apple intelligence

Apple Drops Plans for iPhone Hardware Subscription Service

Wednesday December 18, 2024 11:39 am PST by
Apple is no longer planning to launch a hardware subscription service that would let customers "subscribe" to get a new iPhone each year, reports Bloomberg's Mark Gurman. Gurman first shared rumors about Apple's work on a hardware subscription service back in 2022, and at the time, he said that Apple wanted to develop a simple system that would allow customers to pay a monthly fee to gain...
Read Full Article109 comments
blackmagic vision pro

Blackmagic Debuts $30K 3D Camera for Capturing Video for Vision Pro

Monday December 16, 2024 4:17 pm PST by
Blackmagic today announced that its URSA Cine Immersive camera is now available for pre-order, with deliveries set to start late in the first quarter of 2025. Blackmagic says that this is the world's first commercial camera system designed to capture 3D content for the Vision Pro. The URSA Cine Immersive camera was first introduced in June, but it has not been available for purchase until...
Read Full Article95 comments
mac pro creativity

Apple Launched the Controversial 'Trashcan' Mac Pro 11 Years Ago Today

Thursday December 19, 2024 7:00 pm PST by
Apple launched the controversial "trashcan" Mac Pro eleven years ago today, introducing one of its most criticized designs that persisted through a period of widespread discontentment with the Mac lineup. The redesign took the Mac Pro in an entirely new direction, spearheaded by a polished aluminum cylindrical design that became unofficially dubbed the "trashcan" in the Mac community. All of ...
Read Full Article159 comments
iPhone 17 Slim Feature Single Camera 2 Redux

Top 5 Apple Products to Look Forward to in 2025

Friday December 20, 2024 2:22 pm PST by
It's looking like 2025 is going to be an important year for Apple, with the company planning to revamp the iPhone, push further into smart home products, and improve Apple Intelligence. There are tons of new products rumored for 2025, including new iPhones, M4 Macs, a smart home command center, and much more. We've highlighted the top five Apple products that will have the biggest impact in...
Read Full Article100 comments
apple tv 4k yellow bg feature

New Apple TV Rumored to Launch Next Year With These Features

Tuesday December 17, 2024 9:02 am PST by
The current Apple TV 4K was released more than two years ago, so the streaming device is becoming due for a hardware upgrade soon. Fortunately, it was recently rumored that a new Apple TV will launch at some point next year. Below, we recap rumors about the next-generation Apple TV. Bloomberg's Mark Gurman last week reported that Apple has been working on its own combined Wi-Fi and...
Read Full Article177 comments
iPhone 17 Pro Dual Tone Feature 1

iPhone 17 Pro Rumored to Stick With 'Triangular' Camera Design

Wednesday December 18, 2024 2:36 am PST by
Contrary to recent reports, the iPhone 17 Pro will not feature a horizontal camera layout, according to the leaker known as "Instant Digital." In a new post on Weibo, the leaker said that a source has confirmed that while the appearance of the back of the iPhone 17 Pro has indeed changed, the layout of the three cameras is "still triangular," rather than the "horizontal bar spread on the...
Read Full Article153 comments
elevation lab airtag battery

Your AirTag's Battery Will Last for Up to 10 Years With Elevation Lab's New TimeCapsule Enclosure

Wednesday December 18, 2024 10:05 am PST by
Elevation Lab today announced the launch of TimeCapsule, an innovative and simple solution for increasing the battery life of Apple's AirTag. Priced at $20, TimeCapsule is an AirTag enclosure that houses two AA batteries that offer 14x more battery capacity than the CR2032 battery that the AirTag runs on. It works by attaching the AirTag's upper housing to the built-in custom contact in the...
Read Full Article129 comments

Top Rated Comments

macsrcool1234 Avatar
macsrcool1234
97 months ago
Seems a fair amount. How much are they supposed to pay a bunch of guys in their jammies in their parents basement with one hand in their pants?
A lot more considering they can just easily sell these exploits to people who can do a lot more damage with it for 5 times as much.....
Score: 22 Votes (Like | Disagree)
SecuritySteve Avatar
SecuritySteve
97 months ago
I've been reading some of the comments here, as a new security researcher I find that some of your comments are victim of misconceptions that might be easily cleared up with some insight. For example:

Seems a fair amount. How much are they supposed to pay a bunch of guys in their jammies in their parents basement with one hand in their pants?
For one, you might've been right if we were talking about security research from 20 years ago, when it wasn't taken so seriously. However, modern security research is a business in and of itself. It takes a lot of knowledge and training, but more importantly it takes resources. Most external security researchers will not have access to the source code of these applications or OS features that they are probing for vulnerabilities.

Most groups that actively search for vulnerabilities apply techniques like 'fuzzing' where they dedicate hardware to constantly throw input at an application or API until it breaks, and then the researcher figures out if that break is exploitable. These breaks appear in the forms of application crashes and kernel panics. Most kernel level vulnerabilities would sweep the top of the bounty range, since that would allow for access to a system beyond that of an administrator or super user. Getting back to the point, Apple Hardware does not exactly come cheap, and to compete with a lot of the top end researchers like Google's Project Zero, you're going to need a significant investment to even get started.

When any company considers how much to pay out, the company must analyze how frequently bugs are going to be discovered that are significant enough to be rewarded, how much a vulnerability in this particular application or device would be paid for to malicious actors, and what damage to the company would a complete outbreak of an exploit targeting your product would cause to the company's image. If vulnerabilities are going to be frequent, its best to not offer a bounty and to have a team work in-house to discover them - because you will be flooded by submissions from amateur researchers grabbing low-hanging fruit. If vulnerabilities are going to rare and deal high damage to the company's image, as is in Apple's case which champions their security, then the payout needs to be significant enough to compensate researchers for their investment of both time and resources.

I hope this clears things up for readers.
Score: 20 Votes (Like | Disagree)
trsblader Avatar
trsblader
97 months ago
The prices don't seem bad, and in fact seem pretty generous. I googled some other tech companies payouts and they are no where near Apple's.

Facebook claimed their largest payout ever was just $33,500. A bug that was reported that could unlock any user's account received just $15,000.

Microsoft's top payout is $30,000 with Google (apps such as gmail or YouTube specifically, not Android) just slightly up from there at $31,337. Unrestricted file system access that can lead to a google account takeover receives a max of $13,337 from Google.

For the Android part of Google, the top amount is $150-200k which is more on par with Apple.

I think the underground market will always pay more no matter what price Apple sets.
Score: 15 Votes (Like | Disagree)
826317 Avatar
826317
97 months ago
It isn’t about being a bad guy its about being compensated for your work. How much is your time worth? Would you sell it short just because it is the ‘proper’ channel? Most wouldn’t.
Well if you do anything other than report it directly to Apple you're per definition a bad guy. As for the compensation, nobody made you mess around with Apple's systems, you decided to put your own time into it. So if you sell it to a bad
guy, it shows your morality and that you couldn't care less....
Score: 10 Votes (Like | Disagree)
HiRez Avatar
HiRez
97 months ago
So the guys most likely to cash in these bounties think the bounties should be higher?
Score: 10 Votes (Like | Disagree)
ddurkee Avatar
ddurkee
97 months ago
It isn’t about being a bad guy its about being compensated for your work. How much is your time worth? Would you sell it short just because it is the ‘proper’ channel? Most wouldn’t.
If you're going to be honest here, the choice is selling it to Apple or selling it to criminals, for use in criminal activities.
Score: 10 Votes (Like | Disagree)
Read All Comments