Stingy Apple Bug Bounty Payouts Sends Researchers To Lucrative Gray Market Hacking

Many technology companies have in place bug bounty programs that reward security researchers who submit discovered vulnerabilities in the products and services they offer. It is a win-win proposition in which technology companies are alerted to potentially crippling security holes, and hackers are compensated for their efforts. Apple is among the companies with a bug bounty program, though some researchers are choosing to hold onto discovered vulnerabilities, or worse yet, sell them on the underground market.

Apple's is relatively new to the bug bounty scene. Ivan Krstic, head of Apple's security division, surprised attendees at last year's Black Hat conference by announcing the program, which was well received by the crowd. Yet here we are nearly a year later and it does not seem as though any rewards have been doled out by Apple. That is not because security researchers are unable to find bugs in Apple's software, it's because the rewards are too low.


"People can get more cash if they sell their bugs to others," Nikias Bassen, a security researcher for Zimperium who joined Apple's program last year, told Lorenzo Franceschi-Bicchierai at Motherboard. "If you're just doing it for the money, you're not going to give [bugs] to Apple directly."

Granted, Apple's ecosystem is locked down pretty tight. It is not easy to root out vulnerabilities in Apple's code, but it is not impossible either. And because finding security holes is so difficult, they are viewed as being more valuable than a typical bug on some competing platforms. This is especially true in the gray market where researchers can cash a bigger paycheck than by going through Apple.

Several researchers that Franceschi-Bicchierai spoke with said they're hesitant to report bugs to Apple because they're so valuable. It is not just one or two researchers, either. Out of the 10 security researchers he spoke with, all of them said they are not aware of anyone else who has reported a bug to Apple.


It is not clear how much the researchers would like to be compensated for their work. When Krstic announced the program last year, he said that bug bounty hunters would be able to earn rewards ranging from $25,000 to $200,000 for certain vulnerabilities in iOS and macOS.

That seems to be in line with companies like Microsoft and Facebook, but again, Apple's operating systems have a high level of security and command higher premiums in the gray market. Exodus Intelligence, for example, offers up to half a million dollars for certain iOS exploits. Zeriodium goes even higher, offering up to $1.5 million to researchers for jailbreaking the iPhone.

Apple might not have to match what the gray market is paying, but it at least needs to offer researchers something that is closer to market value. Otherwise, we do not suspect that many hackers will submit a bug to Apple for $200,000 when they can sell it elsewhere for $1.5 million instead.