Apple’s bug bounty program, launched in September 2016, reports little response. The main reason for the low interest is the comparatively low fees that Apple pays for found security gaps. According to experts, the black market is much higher.
More money on the gray and black market
Apple’s bug-bounty initiative seems to have found little to date. Motherboard VICE cites several security experts who talk about the reasons for the lack of success. “People can earn more if they sell gaps found to someone other than Apple,” says security researcher Nikias Bassen, who works for the company. If you only look for money for money, do not forward the finds to Apple.
While the iPhone company pays up to $ 200,000 for reports of leaks, companies like Exodus Intelligence offer $ 500,000 for iOS exploits. The value of a bundle of security gaps, which allows the jailbreak of an iPhone, is estimated at about $ 1.5 million.
In addition, according to cybersecurity researcher Dan Guido, it is unlikely to find a $ 200,000 gap in a system that is comparatively heavily protected by sandboxing and other mechanisms such as iOS. Many bug hunters would not even begin the lengthy and potentially unsuccessful error search.
Messages from smaller vulnerabilities are unprofitable
The report of low-grade security leaks, for which Apple estimates little more than several thousand US dollars, does not usually pays itself. Instead of forwarding the corresponding errors to the group, security researchers prefer to use the small gaps to identify larger and lucrative vulnerabilities.
Apple as a straggler in the bug bounty sector
Apple’s security chief Ivan Krstic announced the reward system for the detection of security vulnerabilities in iOS and macOS in August 2016. Apple is a late starter in the sector of bug-bounty bonuses, as other IT giants like Google, Microsoft and Facebook have been rewarding gaps for found gaps for years.
Quickly criticized Apple’s Invite-Only system. The iPhone group first opened the bug bounty program only for security experts who have already made important contributions to security. According to Apple, it is inefficient to allow anyone who is interested, because the most critical leaks in the mass of the messages could be lost.
For reported gaps in individual sandbox processes, there are up to 25,000 US dollars. Vulnerabilities in the Secure Boot firmware are Apple worth up to 200,000 US dollars.