Apple S Bug Bounty Program Faltering Due To Low Payouts To Researchers New Report Claims

A new report from Motherboard today delves into some details regarding Apple’s bug bounty program, an intitative the company launched last year in hopes of encouraging security researching to submit “high-value” bugs in exchange for money. Today’s report, however, explains that the program isn’t taking off as fast as Apple had hoped…

At the time of announcement, Apple broke down the max payments as part of its bounty program:

• Secure boot firmware: $200,000
• Extraction of confidential material protected by the Secure Enclave Processor: $100,000
• Execution of arbitrary code w/kernel privs: $50,000
• Unauthorized access to iCloud account data on Apple Servers: $50,000
• Access from a sandboxed process to user data outside of that sandbox: $25,000

Motherboard’s report, however, explains that Apple isn’t paying researching nearly enough, as they can get considerably more for bugs from third-parties. Additionally, if researchers were to report some bugs they found, it could prevent them from doing further research.

Furthermore, the report notes that eight bug hunters said they had not submitted a bug to Apple’s bounty program, nor do the researchers themselves know of anyone who has submitted something to Apple.

Apple simply doesn’t seem to be paying researchers enough for the bugs. Motherboard says that in the current gray market, companies such as Zerodium buy exploits from researchers and see them to their customers, offering $1.5 million for a method “comprised of multiple bugs that can jailbreak the iPhone.” Another company, Exodus Intelligence, offers around $500,000 for similar exploits.

Both Zerodium and Exodus Intelligence claim to sell only to corporations, law enforcement, and intelligence agencies.

The report also notes of just how much effort Apple put into its bug bounty program, flying prominent researchers to Cupertino for closed-door meetings and schmoozing, only for the program to falter:

Whether or not Apple has any changes in mind for its bug bounty program remains to be seen. In the program’s current state, however, researchers are looking elsewhere for their payouts. Check out Motherboard’s full report for a deeper look at the program.