Apple Defends Security Bounty Program, Has Paid Out ‘Millions’ in 2021

According to a report from cybersecurity publication SearchSecurity, security analysts and researchers are expressing mounting frustration with the Apple Security Bounty (ASB) program, which rewards researchers and experts for discovering and reporting security-critical bugs and zero-day vulnerabilities.

Apple initially launched ASB as an invite-only program for security researchers in 2016. In 2019, the program became available to the public, allowing anyone to submit vulnerabilities and zero-day exploits to Apple for remediation and remuneration.

According to Apple’s website, payouts for reported vulnerabilities vary, but the tech giant is willing to pay up to $100,000 USD for anything that enables “unauthorized access to iCloud account data on Apple Servers,” and up to $1 million USD for a “zero-click remote chain with full kernel execution and persistence, including kernel PAC bypass, on latest shipping hardware.”

However, getting Apple to pay for a reported vulnerability is easier said than done. White hat hackers are frustrated with Apple’s subpar communication, frustratingly long turnaround time for fixes, silent patching, a penchant to delay giving reporters credit (or leaving it out altogether), and lack of compensation.

A credited bug bounty researcher, who chose to remain anonymous, narrated a less than ideal experience with the iPhone maker. A vulnerability they submitted last December was patched in April, they weren’t credited until May, and as of Friday, Apple hasn’t told the researcher whether they’ll be paying the bounty (or how much they’re even entitled to).

“Communication with Apple Product Security has been bad overall. They usually don’t give updates until you ask them for an update a couple of times, and sometimes they take a very long time to reply,” the researcher said.

“If you ask questions like ‘Have you been able to reproduce my bug?,’ they’ll probably vaguely reply that, ‘We are still investigating and have no new status updates to share at this time.’ A lot of researchers have complained that talking to them is like talking to robots.”

Due to the abysmal state of the Apple Security Bounty program, some security researchers are even considering going over to the (possibly) dark side. Instead of reporting vulnerabilities to Apple, some experts are considering selling them on the open market to third-parties like “zero-day brokers”, such as Zerodium or 0Day Today, or directly to the highest bidder.

Zero-day exploits for Apple’s platforms fetch alarmingly high prices on the open market, significantly higher than what whoever discovered them would have gotten directly from Apple if they had gone to the tech giant.

However, the biggest problem with that isn’t the fact that it rests in a more ethically gray area, but that you never know whose hands the sold zero-day exploits will end up in — it could very well be a bad actor.

The iPhone maker defended its program in a statement to SearchSecurity, saying, “Apple Security Bounty publicly launched in 2019 with the largest payouts ever offered in the industry, including the world’s first $1 million bounty. Since then, Apple Security Bounty has grown the total rewards paid to researchers far faster than any other program in the industry’s history.”

The Apple statement continued to say, “We’ve already paid out millions of dollars this year, and issued nearly double the number of researcher rewards compared to all of 2020, all while leading the industry in average payouts.”

“We are working hard to scale the program during its dramatic growth, and we will continue to offer top rewards to security researchers working with us side by side to protect our users and their data on more than a billion Apple devices around the world,” added the Apple statement.

Security researchers aren’t particularly happy with Apple, and this isn’t even the first time their frustrations with the company have made it into the limelight. If it wants to avoid the worst-case scenario of even more zero-day vulnerabilities for iOS and macOS being sold on the open market, Apple needs to get its house in order.