Low Payouts See Jailbreak Hackers And Security Researchers Avoiding Apple’s Bug Bounty Program
Bug bounty programs are nothing new, with large companies offering them in order to try and ensure hackers bring bugs to them rather than create exploits from them, and Apple’s own program was launched last year.
At the time, the company outlined the amounts of money it would pay for bugs that were found and reported, but according to a new report by Motherboard those who do find bugs are simply not telling Apple about them at all.
The reason, apparently, is that Apple simply is not paying enough. When Apple announced its own bug bounty program, it outlined how much researchers could expect to be paid when they brought their bug-based discoveries to Apple’s attention as follows:
Secure boot firmware: $200,000
Extraction of confidential material protected by the Secure Enclave Processor: $100,000
Execution of arbitrary code w/kernel privs: $50,000
Unauthorized access to iCloud account data on Apple Servers: $50,000
Access from a sandboxed process to user data outside of that sandbox: $25,000
However, it would seem that these sums of money do not cut it in a world where researchers can get paid $500,000 and sometimes even up to $1.5 million for their discoveries. It’s not only the money either, with researchers saying that even if they did go to Apple, it may hinder their ability to continue working with the bugs they found.
“People can get more cash if they sell their bugs to others,” said Nikias Bassen, a security researcher for the company Zimperium, and who joined Apple’s program last year. “If you’re just doing it for the money, you’re not going to give [bugs] to Apple directly.”
Zimperium buys exploits and sells them on to its own customers, with sums in the region of $1.5 million paid for a method “comprised of multiple bugs that can jailbreak the iPhone.” That’s money that is hard to turn down for most people.
The report notes that eight bug hunters were contacted, none of whom reported bugs to Apple nor knew of anyone who had. If Apple wants that to change, it may just have to put its hand a little further into its pocket in the future.