In 2016 at the popular Black Hat conference, where hackers from around the world gather for discussions, hacking competitions, and networking, Apple’s head of security Ivan Krstic announced an iOS bounty program. The program meant that hackers could comb iOS for security vulnerabilities and report them to Apple for a reward.
However, the program hasn’t really taken off as it was supposed to, reads a report from Motherboard.
The reports also say that some security researchers are unwilling to report bugs to Apple as it would hamper their further research into the OS. For the hackers who are doing it for making money, selling bugs directly to Apple is not profitable.
Conforming to the practice, one of the researchers, Nikias Bassen says, “If you’re just doing it for the money, you’re not going to give [bugs] to Apple directly”. Similarly, Patrick Wardle, a researcher specializing in MacOS research says that “iOS bugs are too valuable to report to Apple”.
Apple has different categories of bug, and the highest amount Apple is offering is US$200,000. That’s nothing compared to other companies like Zerodium and Exodus Intelligence. In the past these firms have offered rewards as high as US$1.5 million and US$500,000, respectively.
Several researchers referenced in the report said they’re hesitant to report bugs to Apple because they’re so valuable. It is not just one or two researchers, either, as out of the 10 security researchers he spoke with, all of them said they are not aware of anyone else who has reported a bug to Apple.
“Apple has to compete with the true value for the bugs they want to buy,” Dan Guido, the CEO of the cybersecurity research firm Trail Of Bits, said. “They’re trying to buy game-over stuff at $200,000, but it’s just worth more than that.”