Apple's bug bounty program hindered by low payouts, report says

Posted:
in General Discussion edited July 2017
Apple's invite-only bug bounty program is off to a slow start as security researchers in search of high payouts are saving discovered exploits for high-price sales on the gray market.


Apple's Ivan Krstic announces the bug bounty program at Black Hat USA 2016.


In a series of interviews conducted by Motherboard, researchers invited to participate in Apple's initiative said iOS bugs are too valuable to report.

Notably, participants are reluctant to report discovered system flaws because the bugs are either worth more on the gray market or they prohibit work on other areas of the operating system. So far, researchers invited to the program have yet to publicly claim a single bounty.

"People can get more cash if they sell their bugs to others," said Nikias Bassen, a security researcher at Zimperium who joined Apple's program last year. "If you're just doing it for the money, you're not going to give [bugs] to Apple directly."

Of the ten researchers Motherboard interviewed, none had filed a report with Apple.

Announced at a Black Hat conference in 2016, Apple's bug bounty program was created to uncover zero-day flaws in hopes of shoring up defenses of high-level computing assets and first-party security elements. Maximum payments top out at $200,000 for exploits related to secure boot firmware components and quickly drop off to $100,000 for the extraction of confidential material protected by the Secure Enclave Processor. Lower payouts include $50,000 for execution of arbitrary code with kernel privileges, $50,000 for unauthorized access to iCloud account data on Apple servers and $25,000 for access from a sandboxed process to user data outside of that sandbox.

Private companies like Zerodium pay upward of $1.5 million for a full set of bugs that can jailbreak an iPhone, the report said. Other firms will accept iOS exploits for $500,000, depending on their intrinsic value. These companies claim to operate within legal borders, and peddle the discovered zero-day exploits to corporations looking to protect their networks or law enforcement and intelligence agencies.

Hackers might also be leery of reporting bugs to Apple as doing so would jeopardize their own research. Because iOS is so well protected, it takes multiple bugs to access other flaws hidden deep within the operating system. Presenting a bug to Apple ensures the flaw will be patched, thus limiting a potential avenue of access for researchers.

Security researchers invited to attend a bug bounty brief last year asked Apple for special iPhones, or "developer devices," that lack certain restrictions normally present on public models, the report said. These devices would allow hackers to report bugs while continuing investigation into the deep recesses of iOS. Apple declined to provide such devices.

Comments

  • Reply 1 of 9
    foggyhillfoggyhill Posts: 4,767member
    So, ethically bankrupt so called "security researchers" huh, I call that blackmailers and crooks myself.
    pscooter63
  • Reply 2 of 9
    sergiozsergioz Posts: 223member
    "Security researchers... asked Apple for special iPhones, or "developer devices," that lack certain restrictions..." I see why Apple would deny access to such devices! First, they have their own researchers and security specialist. Second, it's not worth having a high payout program, because even if something gets out of hand it'll get patched very fast! Even high price tag hacks get patched, which is Apple's strategy keep your devices updated and keep buying new phones!
  • Reply 3 of 9
    foggyhillfoggyhill Posts: 4,767member
    sergioz said:
    "Security researchers... asked Apple for special iPhones, or "developer devices," that lack certain restrictions..." I see why Apple would deny access to such devices! First, they have their own researchers and security specialist. Second, it's not worth having a high payout program, because even if something gets out of hand it'll get patched very fast! Even high price tag hacks get patched, which is Apple's strategy keep your devices updated and keep buying new phones!
    Also those certain dev devices with less restrictions would be reversed engineered and this would quickly be leaked and be a major security hole in itself; not worth it for sure.
    pscooter63
  • Reply 4 of 9
    NemWanNemWan Posts: 114member
    Hackers who refuse reasonable compensation to take ethical action that protects the privacy of millions of users should have their assets seized. Since when is "I can make more money being bad" acceptable?
  • Reply 5 of 9
    jungmarkjungmark Posts: 6,664member
    I doubt this is occurring. I'm sure Apple invited reputable researchers. Many researchers do report bugs already prior to the program. 
  • Reply 6 of 9
    dewmedewme Posts: 1,992member
    You can't really fault Apple on this one. If Apple jacks up the bounty on what they'll pay for reported zero day and root level vulnerabilities/exploits the state sponsored agencies, in particular, will simply up the ante on their side by offering even higher payouts. So Apple inadvertently ends up establishing the market price for these bugs and escalating a bidding war that only benefits unscrupulous actors. Legitimate and goodwill motivated "researchers" who are honestly engaged in tracking down the kinds of bugs we're talking about for the purposes that Apple is promoting are going to be sufficiently motivated by the bounties that Apple is already offering. Why would anyone want Apple to further benefit those who benefit from such shady operations by inflating the market price of sleaze?
  • Reply 7 of 9
    NemWan said:
    Hackers who refuse reasonable compensation to take ethical action that protects the privacy of millions of users should have their assets seized. Since when is "I can make more money being bad" acceptable?
    Take a look at human history. There is your answer. Ethical is a word that is forgotten. 
  • Reply 8 of 9
    MplsPMplsP Posts: 1,214member
    I wonder how Apple's program compares to other bug bounty programs out there.

  • Reply 9 of 9
    badmonkbadmonk Posts: 775member
    or maybe the reason there have not been any claims is that no security flaws/holes have been found.
Sign In or Register to comment.