Apple’s bug bounty program is coming under criticism – here’s why bug bounty

Cybersecurity researchers aren’t pleased with Apple’s bug bounty program, which already has a massive backlog of unfixed bugs, according to reports.

Apple launched its bug bounty program in 2016, but only opened it to the public in 2019. The program has several reward tiers, going all the way to $1 million for the most serious of vulnerabilities.

Based on comments from domain experts and anonymous security researchers, the Washington Post now reports that the company doesn’t enjoy a good reputation in the security industry.

“It’s a bug bounty program where the house always wins,” Katie Moussouris, CEO and founder of Luta Security, told the Washington Post

Security insensitivity

As an example of Apple’s apparent disdain for security researchers, the Washington Post cites the instance of Cedric Owens who submitted a bug that could’ve been exploited to allow hackers to install malicious software on Mac computers, bypassing Apple’s security measures. 

While security experts said the bug put Mac users “at grave risk,” Apple paid Owens a measly $5000 for his troubles. This is surprisingly shocking considering that there’s an active dark web market that’s willing to pay big bucks for such vulnerabilities. 

Moussouris believes Apple’s attitude towards the bug bounty program will lead to “less secure products for their customers and more cost down the line.”

That isn’t too hard to fathom given the recent Pegasus spyware scandal, which was followed by news of another zero-click attack on the latest iPhone devices.

Work in progress

Apple however calls its program a “runaway success” in an official statement, saying that the company leads the industry in the average amount paid per bounty.

In terms of total bounties awarded though, the report states that while Apple spent $3.7 million in 2020, Google paid $6.7 million in the same year, while Microsoft dished out bounties worth $13.6 million in the 12-month period beginning July 2020. 

Ivan Krstic, head of Apple Security Engineering and Architecture called the company’s bug bounty program a work in process, listing the various ways the company is working to expand the program, while reducing response times and improving communication.

TechRadar Pro has contacted Apple for its view on the news.

Via Washington Post

social experiment by Livio Acerbo #greengroundit #techradar https://www.techradar.com/news/apples-bug-bounty-program-is-coming-under-criticism-heres-why/