Apple Security Bounty (ASB) program was launched in 2016 with the promise of monetary rewards and recognition for researchers who submit vulnerabilities. However, issues like Apple’s lack of communication, denial of recognition and reward, silent patching, and more have worn security researchers’ patience with the program thin. And SearchSecurity reports that some frustrated researchers are considering selling the zero-day exploited to brokers.
Apple’s mishandling of security researchers makes them denounce its Security Bounty program
As per the report, several cyber security researchers complain that it takes months to get a response from the company after submitting a vulnerability. And sometimes, the company just quietly patches the flaw without giving them recognition and some cases the associated cash reward.
This behavior was evident in the case of developer Denis Tokarev who discovered four zero-day exploits. Apple patched on iOS 14.7 without giving him credit and when he went public with the remaining three exploits in iOS 15, the company superficially apologized to do the same later. In iOS 15.0.2 update, the company fixed a gaming zero-day exploit without giving Tokarev credit and cash rewards. Two more exploits still remain to be fixed, the exploits were submitted between March-May 2021.
A researcher and application security engineer at FormAssembly, Shail Patel said:
“On various occasions, when we reported our findings to Apple, our reports were not acknowledged or triaged for weeks until multiple repeated follow-ups,” he said. “Not just that, but when it comes to remediation, many of our high-severity findings were not patched for months.” Moreover, he said the duo “never received a single bounty for any of our submissions,” despite having vulnerabilities he described as “in-scope and eligible for bounty payouts.” He added that, by his estimation, they had not broken nondisclosure agreements or rules of engagement for the submissions described.
Cupertino tech company’s disengagement has pushed the well-intentioned security researchers to explore other vendors for their zero-day exploits like HackerOne, Zero Day Initiative, or third-party which could be firms like NSO, creator of Pegasus spyware to hack iPhone and Android devices.