Cybersecurity (opens in new tab) researchers aren’t pleased with Apple's bug bounty program, which already has a massive backlog of unfixed bugs, according to reports.
Apple launched its bug bounty program in 2016, but only opened it to the public in 2019 (opens in new tab). The program has several reward tiers, going all the way to $1 million for the most serious of vulnerabilities.
Based on comments from domain experts and anonymous security researchers, the Washington Post now reports that the company doesn’t enjoy a good reputation in the security industry.
- Protect your devices with these best antivirus software (opens in new tab)
- These are the best ransomware protection tools (opens in new tab)
- We've put together a list of the best endpoint protection (opens in new tab) software
“It’s a bug bounty program where the house always wins,” Katie Moussouris, CEO and founder of Luta Security, told the Washington Post.
As an example of Apple’s apparent disdain for security researchers, the Washington Post cites the instance of Cedric Owens who submitted a bug that could’ve been exploited to allow hackers to install malicious software on Mac (opens in new tab) computers, bypassing Apple’s security measures.
While security experts said the bug put Mac users “at grave risk,” Apple paid Owens a measly $5000 for his troubles. This is surprisingly shocking considering that there’s an active dark web market that’s willing to pay big bucks for such vulnerabilities.
Moussouris believes Apple’s attitude towards the bug bounty program will lead to “less secure products for their customers and more cost down the line.”
That isn’t too hard to fathom given the recent Pegasus spyware scandal (opens in new tab), which was followed by news of another zero-click attack (opens in new tab) on the latest iPhone devices (opens in new tab).
Work in progress
Apple however calls its program a “runaway success” in an official statement, saying that the company leads the industry in the average amount paid per bounty.
In terms of total bounties awarded though, the report states that while Apple spent $3.7 million in 2020, Google paid $6.7 million in the same year, while Microsoft dished out (opens in new tab) bounties worth $13.6 million in the 12-month period beginning July 2020.
Ivan Krstic, head of Apple Security Engineering and Architecture called the company’s bug bounty program a work in process, listing the various ways the company is working to expand the program, while reducing response times and improving communication.
Update: An Apple spokesperson defended its bug bounty program and shared the following statement with TechRadar Pro:
“Compared to the rest of the industry, the Apple Security Bounty program is growing faster, pays more per-reward and more per-researcher than other programs. Before our program began, it took even top industry programs more than 3 years after launch to reach $2M in annual payments. The Apple Security Bounty paid researchers nearly double that amount, $3.7M, in its first year as a public program.”
- Here's our choice of the best malware removal (opens in new tab) software on the market
Via Washington Post (opens in new tab)