An Apple program that’s intended to entice hackers to reveal iOS security flaws in exchange for cash is failing to generate the necessary traction due to insufficient cash incentives, Motherboard reports. The program, announced by Apple’s security chief Ivan Krstic at last summer’s Black Hat conference, offers a cash bounty of up to $200,000 to hackers who discover and report vulnerabilities in the company’s products. However, almost a year later, the program appears to have struggled to take off, with many researchers reporting that they can sell exploits for considerably more money on the grey market than the mere $200,000 that Apple is willing to pay.
In fact, there has been no evidence that any hackers have yet claimed any bug bounties from Apple as part of the program, and with iPhone security as tight as it is, the difficulty in finding flaws in the first place makes them extremely valuable on the open market. Further, many researchers are also reluctant to report bugs because doing so may in some cases prevent them from continuing their research. Speaking anonymously to Motherboard due to the confidential nature of Apple’s bug bounty program, ten researchers in the program indicated that they have yet to report a bug to Apple, and in fact do not know of anyone who has. They generally all agreed, as one stated, that bugs are “too valuable to report to Apple.”
Apple gathered the group of prominent white-hat hackers to its Cupertino headquarters last September to pitch them on collaborating on the bug bounty program, giving them presentations from Apple security teams, taking them out to dinner, giving them a chance to chat and discuss their work, and meet with Craig Federighi, Apple’s senior vice president of software engineering. Although the announcement of the program was made publicly, everything else about it has been kept under close wraps with Apple’s usual secrecy, and the program remains invite-only. While Apple offered bounties of up to $200,000, most researchers have pointed out that grey market companies have offered considerably higher payouts, ranging from $1.5 million from Zerodium for a collection of multiple bugs that can jailbreak the iPhone to $500,000 from Exodus Intelligence for similar iOS exploits. These grey market companies specialized in purchasing and compiling exploits which they claim to sell only to corporations to help them protect their own security and to law enforcement and intelligence agencies to help them hack into high-value targets for criminal investigations and counter-terrorrism.
Researchers also suggest that Apple has mishandled its bug bounty program in other ways, including limiting it to only select handpicked researchers as well as denying those researchers access to specialized “developer devices” that would make their efforts easier — many researchers are reluctant to report bugs for fear of complicating their future efforts when such bugs are fixed, since iOS and the iPhone hardware are so tightly locked down that it’s often open exploits that allow researchers to delve further into the devices.
