Researchers’ experience with Apple offers peek at ‘confusing’ vulnerability award process
Five researchers who found 55 vulnerabilities in Apple’s online services and assets, some of which were critical vulnerabilities, received nearly $300,000 from the Silicon Valley giant Thursday – but it was a journey to get there.
At first, the researchers were only paid a fraction of that, and the road to a larger payment — which appears to align more with typical Apple vulnerability research rewards — has been frustrating and confusing, according to one of the researchers involved. The experience offered a window into Apple’s relatively nascent bug bounty initiative, in its infancy compared to other major tech companies’ programs after just fully opening to the public just last year.
The vulnerabilities, which the researchers investigated over the last three months, included 11 critical and 29 high-severity flaws. One would allow attackers to compromise victims’ iCloud accounts without any user interaction. Another would allow remote code execution via authorization and authentication bypass. Apple said it does not appear that any user data was misused before the researchers found the vulnerabilities, and that it has patched them.
The payment was doled out in pieces and, before Thursday, the five researchers had only received $51,500 for all 55 vulnerabilities — a low sum compared to some of Apple’s previous awards to researchers who have found important bugs in Apple products and services. Apple paid one such researcher $75,000 for an exploit chain they found earlier this year, for instance.
The relatively meager sum of $51,500 raised questions over whether it was an adequate award for the number and severity of flaws the researchers found, an issue Motherboard previously covered. And although the researchers have now been compensated with a higher amount of money, questions about Apple’s process for working with researchers remain.
Apple informed the researchers that they would receive the larger $288,500 payment after one of the researchers, Sam Curry, published a blog detailing the $51,500 payment on Thursday, raising questions about whether Apple increased the sum because of public attention on the exchange.
Curry told CyberScoop the process had its problems, but that Apple had said it would make more payments to his team in the near future, meaning the timing of the increased payment could have been coincidental.
“It’s a bit confusing and maybe a little frustrating, but from their side it totally makes sense,” Curry said in a Twitter exchange. “Bug bounty programs are meant typically to take maybe 1-2 things of this caliber a week. It would make sense if their security team was somewhat overwhelmed with all of the open tickets at once.”
An Apple spokesperson declined to elaborate on the timing, but said the company was grateful for the work of Curry and his colleagues Brett Buerhaus, Ben Sadeghipour, Samuel Erb and Tanner Barnes.
“At Apple, we vigilantly protect our networks and have dedicated teams of information security professionals that work to detect and respond to threats,” the spokesperson said. “We value our collaboration with security researchers to help keep our users safe and have credited the team for their assistance and will reward them from the Apple Security Bounty program.”
Questions about the value of the flaws found in Apple products and services have been bubbling up in recent years as researchers increasingly delve into exposing holes in Apple code. Zerodium, an exploit acquisition company that pays researchers for vulnerability submissions, announces earlier this year it was no longer accepting Apple iOS flaws because the market was over-saturated with Apple vulnerabilities..
The confusing exchange between the researchers and Apple coincides with its efforts to revamp its vulnerability research programs. Last year the firm adjusted its bug bounty program, to pay researchers up to $1.5 million for those who find new ways of compromising iPhone’s operating system. Earlier this year Apple formally launched its iPhone security research program, which the company said will make it easier for researchers to find flaws in iPhones.