Last year, Apple launched an invite-only bug bounty program where it was offering security researchers and hackers up to $200,000 for disclosing bugs in iOS. However, the program seems to have failed to take off as researchers and hackers as reluctant to report bugs to Apple as they are too valuable.
To make matters worse, many third-party companies are paying more for disclosing iOS bugs compared to Apple. Zerodium, for example, offers up to a million dollar for disclosing a zero-day iOS exploit.
“People can get more cash if they sell their bugs to others,” said Nikias Bassen, a security researcher for the company Zimperium, and who joined Apple’s program last year. “If you’re just doing it for the money, you’re not going to give [bugs] to Apple directly.”
When Apple launched its bug bounty program, it got many popular white-hat security researchers and popular jailbreaker Lucas Todesco to fly over to its Cupertino headquarter where its security team gave them a presentation on why they should join the program. They even met Craig Federighi, VP of Software Engineering at Apple, during their stay. Despite that though, security researchers remained apprehensive.
It is not just about money per se as well. Since iOS is so secure, one needs access to multiple zero-day, unpatched bugs to be able to do any kind of research on it. Due to this, many security researchers just keep the bugs they discover to themselves. During the above-mentioned meeting with Apple, many researchers asked Apple’s security team for iPhones with certain security features disabled. Apple, however, declined to provide them with such devices for their research work.
It is possible that a small number of security researchers did end up revealing bugs to Apple through its bug bounty program but decided against discussing it publicly. Even then though, Apple’s bug bounty program seems to be a failure as the company clearly seems to have undervalued iOS bugs.
[Via Motherboard]