Security Researchers Aren’t Inclined to Participate in Apple’s Bug Bounty Program; Here’s Why

by -477 views

For five years now, Apple has lured ethical hackers with a bounty of up to $1 million to point out critical security flaws. However, many familiar with Apple’s programme claim the company is tedious to set reported bugs and doesn’t always pay hackers.

Bug bounty programs have become a preferred way to find vulnerabilities in the tech community. They encourage hackers to written report problems instead of abusing them. However, Apple’south “insular civilization” has reportedly damaged the plan, creating a security blind spot.

Luta Security helped the Section of Defense prepare its bug bounty programme. The company CEO and founder Katie Moussouris claims that in the issues bounty program, “the firm always wins.” She argued that consumers would have to pay the price for Apple’s bad reputation in the security manufacture with insecure products.

Apple tree’southward bug bounty program started off in 2022. By 2022, the visitor had opened the initiative for all researchers. A former and current Apple employee both said that Apple has a massive backlog of bugs waiting to be patched. Moussouris rightly pointed out that companies should take healthy internal problems fixing mechanisms before they challenge commoners to report vulnerabilities and scale operations. “What practise you expect is going to happen if they written report a issues that yous already knew nearly but haven’t fixed? Or if they written report something that takes you 500 days to prepare?” she said.

Apparently, Delayed Bug Fixes Aren’t the Only Issue

Moving to the financial attribute, researchers claim Apple’southward bounty organization also has bug. Example in betoken, the program pays upwards to $100,000 for vulnerabilities that allow attackers to gain “unauthorized admission to sensitive data.”

Earlier this twelvemonth, researcher Cedric Owens establish one such vulnerability that could let bad actors to bypass the Mac’s security and install malicious software. He shared his findings with Apple and it stock-still the bug. However, Owen was only paid $v,000. That’southward 5 percentage of what Owens believed he deserved. Other researchers concur the vulnerability could’ve allowed access to “sensitive data.”

Omaha-based security researcher Sam Back-scratch teamed upwards with friends and submitted a new bug report to Apple every couple of days. Apple tree paid $50,000 for one of the bugs. In total, the group earned approximately $500,000. Curry noted that Apple takes longer than the rest of the manufacture to pay researchers for problems bounties. Curry believes this is because Apple is well aware of its poor reputation in the tight-knit security inquiry community.

At least one iOS engineer, Tian Zhang, went on the tape to say that Apple tree ignored his bug reports and didn’t pay him for discovering a vulnerability. Interestingly, Apple went ahead and fixed the bug he reported. He remarked that as an engineer, one would want to ensure the safety of products built for other people. “On the other hand, information technology seems like Apple thinks people reporting bugs are annoying and they want to discourage people from doing so,” he connected.

Apple’s Civilization of Secrecy Is at Odds with Transparency Upstanding Hackers Stand By

Jay Kaplan, the founder of crowdsourced security research visitor Synac, claims that Apple was forced to launch the bug bounty program and cover the public security researcher civilization. He noted that thanks to Apple’s aforementioned poor reputation, researchers aren’t encouraged to report bugs to Apple. Instead, they’re “going to security conferences and speaking about information technology publicly and selling it on the black market place, (sic)” said Kaplan.

Exploits for Apple platforms tin fetch approximately $2 million on grey and black markets, just shy of the $two.5 million for equivalent Android vulnerabilities.

Apple Remains Adamant, Terms Bug Bounty Program ‘Runaway Success’

Ivan Krstic, Apple’s head of security applied science, categorically labeled the bounty program as a “runaway success.” However, when asked almost why a researcher wasn’t paid for a flaw he discovered, Krstic said, “when we make mistakes, we piece of work hard to correct them chop-chop, and larn from them to rapidly meliorate the program.”

[Via The Washington Postal service]


Posted by: