Bug Bounty Hunters Prefer Reporting iOS and MacOS Bugs To Others Than Apple
Bug bounty programs are not new in tech town, Google and other companies have been running reward programs for the hackers who hunt bugs in their software and report it. Google has been a prominent player in the domain of bug bounty programs, and it also mentions the names of bounty hunters who found the vulnerabilities in its security bulletin.
In 2016, Apple had also announced a bug bounty program at the Black Hat conference. But the program never really took off as Apple expected. Also, there has never been any news about hackers discovering bugs in the iOS or any other software by Apple. No, it is not because of iPhone's security but the reluctance of hackers to report it to the company. A report published by Motherboard states that hackers are unlikely to inform Apple about the bugs as they would get better money by reporting it to third parties.
The reports also say that some security researchers are unwilling to report bugs to Apple as it would hamper their further research into the OS. For the hackers who are doing it for making money, selling bugs directly to Apple is not profitable. Conforming to the practice, one of the researchers, Nikias Bassen says, "If you're just doing it for the money, you're not going to give [bugs] to Apple directly". Similarly, Patrick Wardle, a researcher specialising in MacOS research says that "iOS bugs are too valuable to report to Apple".
Greater rewards from third parties
Last year, Apple got into a security war with the FBI over iPhone encryption. The Cupertino giant showed the red card to the security agency for the task of breaking into the iPhone of an accused. Later, the FBI found outside help for unlocking the phone. It paid a hefty amount to an unknown hacker for doing the task. This incident is one of the indications that hackers are willing to handover bug reports to outside parties than Apple due to incentive difference. The independent hackers can earn greater rewards by reporting bugs to other parties.
According to the report, Apple's bug bounty program works on an invite-only basis. The security researchers who are a part of the program, have a chance to earn rewards starting at $25,000 and ranging up to $200,000 for hunting bugs in iOS and MacOS.
The amount that Apple is offering to the bounty hunters seems big, but researchers still prefer others over Apple when it comes to reporting bugs in iOS and MacOS as third parties are always up for offering larger amounts than Apple. Companies like Zerodium purchase exploits from bug hunters and sell them to their clients. The method of jailbreaking iOS 10 costs $1.5 million. Another company, Exodus Intelligence, shells up to $500,000 for similar iOS vulnerabilities.
Apple needs to loosen up a little to turn its bug bounty program into a successful one. The company needs to relax its admission rules into the program, this way it can have a wider audience of independent researchers that would report bugs in the software. At the time of Apple's bug bounty program's launch, many researchers asked the company for special iPhones without restrictions to study the complex nature of the OS, but Apple did not fulfil the demand. The company's uptight behaviour has acted as one of the reasons that puts off white-hat hackers from working with them. Apple needs to overhaul the program to get the desired response from the hackers.