Apple Has Paid Out $20 Million to Security Researchers for Finding Bugs

Apple on Wednesday shared its first update on the progress of the Apple Security Bounty program, a bug bounty program the company launched with select researchers in 2016.

“We started Apple Security Bounty with one steadfast goal: to recognize and reward the security community for sharing research with us to help protect our users,” the tech giant said in the update.

Apple eventually opened the Security Bounty program up to all researchers in 2019. The company has paid out nearly $20 million USD in bug bounties to researchers since then, with an average payout of $40,000 in the Product category and including 20 separate bounties of over $100,000 for high-impact issues.

According to Apple, that makes ASB the fastest-growing bug bounty program in industry history. Last year alone, Apple said it paid out “millions of dollars” in bounties and nearly doubled the number of total researcher rewards compared to 2020.

In its ASB update on Wednesday, Apple also outlined several upgrades it is making to the program. The company said it is responding more quickly to submissions, completing initial evaluations of nearly every report within two weeks of submission (and most within six days).

Apple is also making it easier for researchers to report issues and communicate with security personnel at the company, providing more transparency and bounty information to researchers, and making status updates on reported issues more frequent and easily accessible.

The company is certainly headed in the right direction with these improvements. Researchers have previously expressed frustrations with Apple over subpar communication, difficulty getting paid for reported vulnerabilities, long turnaround times for fixes, and insufficient compensation.

iOS developer Guilherme Rambo recently reported a dangerous bug that let apps eavesdrop on users’ Siri conversations. The vulnerability has been patched, but Apple awarded Rambo a mere $7,000 bug bounty for his efforts.

Apple also announced it is accepting applications for the 2023 Apple Security Research Device Program, which features an iPhone exclusively dedicated to security research. Registrations will remain open until November 30.