A new article by The Washington Post has highlighted how lack of communication and inability to pay hackers what they believe they’re owed has security researchers fed up with Apple’s bug bounty program.
For the past five years, the iPhone maker has been inviting hackers to break into its services and devices, offering up to $1 million to learn of its most serious security flaws. But many who are familiar with the program say Apple is slow to fix reported bugs, which is hurting the program and has also “created a blind spot on security.”
“It’s a bug bounty program where the house always wins,” said Katie Moussouris, CEO and founder of Luta Security, She added that Apple’s bad reputation in the security industry will lead to “less secure products for their customers and more cost down the line.”
The unfriendly nature of its bug bounty program has discouraged some security researchers from pointing out flaws to Apple, these people said. That’s prompted some to sell them to “gray market” customers like government agencies or companies that sell sophisticated hacking services, or go public without notifying Apple, which could put customers at risk.
Meanwhile, Ivan Krstić, head of Apple Security Engineering and Architecture, has said the following in an emailed statement.
“The Apple Security Bounty program has been a runaway success. We are working hard to scale the program during its dramatic growth, and we will continue to offer top rewards to security researchers working with us side by side to protect our users and their data on more than a billion Apple devices around the world.”
Krstić also said the company has gathered feedback and “will continue to scale and improve” its rapidly growing program.