Apple's bug bounty program is coming under criticism - here's why

bug bounty
(Image credit: N/A)

Cybersecurity researchers aren’t pleased with Apple's bug bounty program, which already has a massive backlog of unfixed bugs, according to reports.

Apple launched its bug bounty program in 2016, but only opened it to the public in 2019. The program has several reward tiers, going all the way to $1 million for the most serious of vulnerabilities.

Based on comments from domain experts and anonymous security researchers, the Washington Post now reports that the company doesn’t enjoy a good reputation in the security industry.

“It’s a bug bounty program where the house always wins,” Katie Moussouris, CEO and founder of Luta Security, told the Washington Post

Security insensitivity

As an example of Apple’s apparent disdain for security researchers, the Washington Post cites the instance of Cedric Owens who submitted a bug that could’ve been exploited to allow hackers to install malicious software on Mac computers, bypassing Apple’s security measures. 

While security experts said the bug put Mac users “at grave risk,” Apple paid Owens a measly $5000 for his troubles. This is surprisingly shocking considering that there’s an active dark web market that’s willing to pay big bucks for such vulnerabilities. 

Moussouris believes Apple’s attitude towards the bug bounty program will lead to “less secure products for their customers and more cost down the line.”

That isn’t too hard to fathom given the recent Pegasus spyware scandal, which was followed by news of another zero-click attack on the latest iPhone devices.

Work in progress

Apple however calls its program a “runaway success” in an official statement, saying that the company leads the industry in the average amount paid per bounty.

In terms of total bounties awarded though, the report states that while Apple spent $3.7 million in 2020, Google paid $6.7 million in the same year, while Microsoft dished out bounties worth $13.6 million in the 12-month period beginning July 2020. 

Ivan Krstic, head of Apple Security Engineering and Architecture called the company’s bug bounty program a work in process, listing the various ways the company is working to expand the program, while reducing response times and improving communication.

Update: An Apple spokesperson defended its bug bounty program and shared the following statement with TechRadar Pro:

“Compared to the rest of the industry, the Apple Security Bounty program is growing faster, pays more per-reward and more per-researcher than other programs. Before our program began, it took even top industry programs more than 3 years after launch to reach $2M in annual payments. The Apple Security Bounty paid researchers nearly double that amount, $3.7M, in its first year as a public program.”

Via Washington Post

Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.