Apple’s bug bounties need to get with the program

After a couple high profile security flaws, Apple needs to take a hard look at its bug bounty program.

apple submit bugs
IDG

Today's Best Tech Deals

Picked by Macworld's Editors

Top Deals On Great Products

Picked by Techconnect's Editors

Digital and information security is something that everybody’s had to become all too familiar with over the past decade. As we carry around devices that themselves store everything from our friends’ contact details to our bank account information, it’s become ever more crucial that those devices be well secured against all possible intruders.

In general, Apple’s track record on security has been pretty solid. The App Store’s walled garden, while often the target of derision from competitors, has done an effective job of curtailing malware on the platform and the company issues frequent security updates to its products.

But even Apple isn’t without its security shortcomings, and a few recent incidents suggest ways that the company may need to go beyond just patching vulnerabilities in its software and change the procedures around how it deals with the people who uncover these exploits.

Bounty hunting

Apple came fairly late to the idea of a bug bounty program, which it only launched back in 2016. Competitors, both first- and third-party, have long offered these initiatives, in which security researchers are paid for uncovering specific types of exploits. Apple’s program offers a sliding scale of payments, depending on the severity of the bug: $200,000 for compromising the secure boot process, for example, all the way down to $25,000 for a way to violate the iOS sandbox. At launch, the company offered bounties for five different categories of exploit.

Here we run into the first problem. Those payouts, while they may sound it impressive to laypeople like us, are actually relatively small in comparison to what security researchers can get paid by selling those same exploits to other firms, some of which offer more than twice as much as what Apple will pay. Why? Because there are hundreds of millions of iOS devices out there and vulnerabilities—especially serious ones—are pretty rare. Intelligence and law enforcement agencies, among others, are always looking for ways to break into other people’s devices.

Step one would be for Apple to improve the payouts on its bugs. The company is far from cash poor, and even though it doesn’t want to have spend money it doesn’t have to, can it afford not to up its rewards when its biggest platform—and one where it’s not shy of boasting about its security—is at stake? This is just as much an investment in the company’s future as spending billions on research and development.

No dis-invitations!

Let’s assume that you are willing to sell your exploit to Apple for less money than you could get elsewhere, possibly out of a sense of doing the right thing. You may not be able to, because the bug bounty program is currently available only by Apple’s invitation.

That leads to situations like the recent Group FaceTime bug, which was initially uncovered by fourteen-year-old Grant Thompson, whose mother subsequently tried to report the bug to Apple. (After the bug became public and Thompson’s role became apparent, Apple paid a visit to the teenager, who will now receive the bounty.)

There is a logic to restricting the bug bounty program to known researchers, as it probably helps narrow the field to those likely to come up with serious exploits. But Apple should absolutely also implement some sort of parallel mechanism for those who aren’t in the program to report vulnerabilities. Otherwise, we’ll see more scenarios like this one, in which the company distinctly looks like it was caught with its pants down.

macOS is no good to you dead

Speaking of getting caught with your pants down, German security researcher Linus Henze this week claimed to have uncovered a flaw in the macOS’s keychain, allowing a maliciously crafted app to access your passwords without needing administrator privileges. However, he also made a stir by saying that he hasn’t reported the bug to Apple because the company doesn’t currently offer bug bounties for exploits on macOS.

Setting aside the merits of Henze’s decision, this is clearly another place that Apple’s program falls short. The bounties cover iOS and iCloud, which might be bigger platforms than the Mac, but Apple still sells millions of computers every quarter—you’d think it would want to incentivize people to report security concerns for them.

It was understandable that Apple launched the program on its most prominent platforms, but after more than two years of offering bounties, it seems like it’s probably time to expand that to the Mac as well. Especially because so many of its technologies and systems now span both Mac and iOS.

Overall, it’s great that Apple offers a bug bounty program at all, but now, two years after its launch, it still feels very much like a 1.0. Given these recent incidents, maybe it’s time for the company to do a sweeping update to make sure that its stamping out all those bugs before they’re found in the wild, for the good of both its users and its own reputation.

Note: When you purchase something after clicking links in our articles, we may earn a small commission. Read our affiliate link policy for more details.
Related:
  
Shop Tech Products at Amazon