Thursday, September 9, 2021

Security Researchers Unhappy With Apple’s Bug Bounty Program

Juli Clover:

Apple offers a bug bounty program that’s designed to pay security researchers for discovering and reporting critical bugs in Apple operating systems, but researchers are not happy with how it operates or Apple’s payouts in comparison to other major tech companies, reports The Washington Post.

In interviews with more than two dozen security researchers, The Washington Post collected a number of complaints. Apple is slow to fix bugs, and doesn’t always pay out what’s owed.

Reed Albergotti (tweet, Hacker News):

Ultimately, they say, Apple’s insular culture has hurt the program and created a blind spot on security.

“It’s a bug bounty program where the house always wins,” said Katie Moussouris, CEO and founder of Luta Security, which worked with the Defense Department to set up its first bug bounty program. She said Apple’s bad reputation in the security industry will lead to “less secure products for their customers and more cost down the line.”

[…]

“The Apple Security Bounty program has been a runaway success,” Ivan Krstić, head of Apple Security Engineering and Architecture, said in an emailed statement.

[…]

Payment amounts aren’t the only factor for success, however. The best programs support open conversations between the hackers and the company. Apple, already known for being tight-lipped, limits communication and feedback on why it chooses to pay or not pay for a bug[…] Apple also has a massive backlog of bugs that it hasn’t fixed, according to the former employee and a current employee, who also spoke on the condition of anonymity because of an NDA.

[…]

Tian Zhang, an iOS software engineer, first reported a bug to Apple in 2017. After months of waiting for Apple to fix the bug, Zhang lost patience and decided to blog about his discovery. The second time he reported a security flaw, he says Apple fixed it but ignored him. In July, Zhang submitted another bug to Apple that he says was eligible for a reward. The software was quickly fixed, but Zhang didn’t receive a reward. Instead, he was kicked out of the Apple Developer Program.

Dave Mark:

This is a long article, filled with bug bounty stories, many of them anonymously told. Hard to truly know whether this is the squeaky wheel getting all the attention, or something more problematic. […] Definitely reads like Apple puts less money into bug bounties, shines less of a light onto bug researcher efforts and successes than its competitors.

We’ve been hearing a steady stream of these stories, and it almost doesn’t matter whether they’re representative. The perception is that Apple is stingy and a pain to deal with, and that will affect whether researchers choose to deal with Apple at all. Why, other than ethics, go through a process that sounds worse than App Review when you can blog about it for fame or quickly sell to another party for more money?

Previously:

Update (2021-09-10): Jeff Johnson:

We don’t know for sure that the stories are representative, but we would know a lot more if Apple published any information whatsoever about the bounty payments. Compare the Google Chrome release announcement.

Comments RSS · Twitter

Leave a Comment