Apple had difficulties in the past trying to persuade researchers and experts to convince them to report high-value bugs. For these so-called researchers, the primary issue was that the bugs they discovered were way too valuable to report to Apple, despite rewards being offered as high as $200,000.
In 2016, companies like GrayShift and Azimuth made an entire business out of exploiting weaknesses in Apple products, while other researchers didn’t want to report bugs so they could keep doing research on the iOS. But two years later, some researchers are finally reporting vulnerabilities to Apple, and the company has begun to bestow bounties to some researchers.
Almost all the major tech players have had bug bounties for years. These are programs that are designed to encourage security researchers and friendly hackers to alert the companies of flaws or vulnerabilities in their products in exchange for monetary rewards, which are sometimes in the six figures. Contrary to other companies, however, Apple has not disclosed or discussed any details of the bounty program after announcing it way back in 2016.
Adam Donefeld, an IT research specialist at Zimperium said that he has identified and submitted several bugs to Apple and received payments for the company. Donefeld was not part of the first batch of security researchers who were personally invited by Apple to visit its Cupertino campus and asked to join the program.
Another security researcher, who asked to remain anonymous because they are worried about severing their relationship with Apple, said that they have also identified and submitted a few bugs and been awarded bounties, but has yet to be paid. Two other researchers also had concerns with or have had trouble with the program. One said they weren’t paid for a bug they submitted, and another said they didn’t want to participate in it at all, even after being invited.
The researcher explained that he had found a potential weakness but by the time he had developed an exploit for it, it was already reported by someone else. In his opinion, the program isn’t going very well for Apple and for its participants. Beer is a hacker working for Google Project Zero, the super elite team of hackers/research specialists tasked with finding weaknesses and backdoor loopholes in all kinds of devices and services.
At the Black Hat Conference this year, Beer spoke about finding bugs in iOS, and challenged Apple to donate almost $2.5 million in unpaid bug bounties to Amnesty International. It’s safe to say that for now, Apple appears to be happy about how the bug bounty program is going.
There are many advocates of the program from the security and the software engineering side, said an Apple employee familiar with the program who spoke on condition of anonymity because he was not authorized to talk to the press. I guess the real concern here is, is this a good thing or a bad thing? Is Apple deliberately trying to invite hackers over to hack them? Or is it something else entirely?