Apple's bug bounty program is faltering because gray market payouts are way bigger


Posts: 3,073   +97

Apple finally announced it was starting an official bug bounty program in August 2016, but almost a year in researchers invited to the program have yet to publicly claim a single bounty. The reason, according to a series of interviews conducted by Motherboard, is that bugs are more valuable on the grey market and because reporting some bugs may actually prevent them from doing more research.

"People can get more cash if they sell their bugs to others," said Nikias Bassen, a security researcher for the company Zimperium, and who joined Apple's program last year. "If you're just doing it for the money, you're not going to give bugs to Apple directly."

Apple breaks down its rewards in five areas: the highest payout of $200,000 is for the discovery of bugs in secure boot firmware components; researchers that find ways of extracting confidential data from the secure enclave will receive up to $100,000; executions of arbitrary or malicious code are worth up to $50,000, as is access to iCloud account data; and access from a sandbox process to user data outside the sandbox offers rewards up to $25,000.

Motherboard’s report, however, explains that companies such as Zerodium can pay up to $1.5 million for a method comprised of multiple bugs that can jailbreak the iPhone, while another company, Exodus Intelligence, offers around $500,000 for similar exploits. These firms claim to sell only to corporations, law enforcement, and intelligence agencies.

Finding a bug worth $200,000 from Apple is already an unlikely prospect so there’s not enough incentive in reporting it to Apple. Moreover, in order to get to the meaty stuff, you need multiple smaller unpatched zero-day bugs, which you are also unlikely to report for a few thousand dollars unless you want to hinder your ability to find a bigger reward.

In a sense these gray market prices could be seen as a testament to the security of the iPhone, but it also means Apple didn't read the bounty market properly. Since the program is invite-only perhaps the company needs more people looking for bugs too.

Image credit: m01229 / Flickr

Permalink to story.