Apple bug bounty rewards are too low for hackers; iOS bugs ‘too valuable to report’
Apple fans were excited when the company announced its iOS bug bounty programme almost a year ago during the Black Hat conference. It meant that the tech titan was serious about keeping its ecosystem secured while also rewarding those that deserve the money for finding vulnerabilities in its mobile biosphere. Unfortunately, some researchers believe that the monetary rewards are too low for them to report their findings to Apple.
Nearly a year after it was announced, the Apple Security Bounty programme can’t seem to deliver what it promised. The Mac maker has yet to announce that it has rewarded a hacker for finding holes in its iOS system. According to a report, this is because of the iPhone’s excellent security features, which means that hackers are better off selling their findings on the grey market for considerably high prices rather than give it to Apple for some lowball amount.
“People can get more cash if they sell their bugs to others,” according to security researcher and expert Nikias Bassen, who partook in the Cupertino, California-based company’s bug bounty programme last year. “If you’re just doing it for the money, you’re not going to give [bugs] to Apple directly.”
Motherboard spoke to a number of bug hunters who joined the Apple Security Bounty programme on the condition of anonymity, and not one of them has reported a bug to the tech titan. They also said that they didn’t know anybody who has actually delivered actual findings to Apple. According to former NSA hacker and Synack researcher Patrick Wardle, who was also invited to the company’s rewards programme a year ago, iOS bugs are “too valuable to report to Apple.”
The iPhone maker’s head of security Ivan Krstic introduced the Apple Security Bounty programme in August of last year at the Black Hat Briefings. The annual conference is one of the major computer security events in the world as it provides consultation, teaching and updates to hackers, business companies and government agencies the world over. Below is the list of initial categories and their corresponding max rewards from a slide that Krstic presented during his talk.
Category / Maximum payment:
- Secure boot firmware components / US$200,000 (AU$264,000)
- Extraction of confidential material protected by the Secure Enclave Processor / US$100,000 (AU$132,000)
- Execution of arbitrary code with kernel privileges / US$50,000 (AU$66,000)
- Unauthorised access to iCloud account data on Apple servers / US$50,000 (AU$66,000)
- Access from a sandboxed process to user data outside of that sandbox / US$25,000 (AU$33,000)
MORE TECH NEWS:
-
Evictions Surge In Arizona With Housing Shortage And Rising Prices
-
US Federal Reserve Keeps Interest Rates At 23-year High
-
Police Deployed On US Campuses As Protest Unrest Simmers
-
Turkey Police Clash With May Day Protesters, Skirmishes In France
-
Tweets Or 'Terrorism'?: Saudi's Jailed Online Activists
