This is why Apple’s bug bounty program is being criticized – and how you can help.
It is a work in progress, according to Apple, which defends its software.
According to sources, cybersecurity researchers are dissatisfied with Apple’s bug bounty program, which already has a large backlog of unfixed problems.
Apple began its bug bounty program in 2016, but it wasn’t until 2019 that it was made available to the general public. It is possible to earn rewards at various stages, with the highest tier offering $1 million for the most significant flaws.
According to comments from domain experts and anonymous security researchers, the Washington Post has recently reported that the firm does not have a good reputation in the security field as a result of the investigation.
Luta Security CEO and founder Katie Moussouris described the scheme as “a bug bounty program in which the house always wins.”
Insensitivity to security concerns
The Washington Post cites the case of Cedric Owens, who disclosed a flaw that might have been exploited by hackers to install malicious software on Mac machines, thereby circumventing Apple’s security safeguards, as an example of Apple’s apparent contempt for security experts.
Apple compensated Owens a pittance of $5000 for his pains, despite the fact that security experts warned the flaw put Mac users “at severe risk.” This is particularly startling in light of the fact that there is a thriving dark web market that is prepared to pay top dollar for vulnerabilities of this nature.
Apple’s attitude toward the bug bounty program, according to Moussouris, would result in “worse secure products for their customers and more costs in the future.”
Given the recent Pegasus spyware incident, which was followed by revelations of another zero-click assault on the most recent iPhone handsets, it isn’t difficult to see why this is the case.
This is a work in progress.
While Apple describes its program as a “runaway success” in an official statement, the firm claims that it is the industry leader in terms of average amount given each reward in a separate statement.
Although Apple spent $3.7 million in 2020 on bounties, according to the study, Google spent $6.7 million in the same year, and Microsoft paid out $13.6 million in bounties for the 12-month period beginning July 2020.
Ivan Krstic, Apple’s senior vice president of security engineering and architecture, described the firm’s bug bounty program as a “work in progress,” noting the numerous ways the business is striving to extend the program while simultaneously lowering response times and increasing communication.