Apple Has Started Paying Hackers for iPhone Exploits
Despite their value in the grey market, security researchers are reporting bugs as part of the Apple iOS Bug Bounty program, and some are getting rewards.
Image: Che Saitta-Zelterman
In 2016, Apple’s head of security surprised the attendees of one of the biggest security conference in the world by announcing a bug bounty program for Apple’s mobile operating system iOS.
At the beginning, Apple struggled to woo researchers and convince them to report high-value bugs. For the researchers, the main issue was that the bugs they discovered were too valuable to report to Apple, despite rewards as high as $200,000. Companies like GrayShift and Azimuth made an entire business out of exploiting vulnerabilities in Apple products, while other researchers didn't want to report bugs so they could keep doing research on iOS.
But two years later, some researchers are finally reporting vulnerabilities to Apple, and the company has begun to award some researchers with bounties, Motherboard has learned.
Almost all major tech companies have had bug bounties for years. These are programs that are designed to encourage independent security researchers and friendly hackers to alert the companies of flaws or vulnerabilities in their products in exchange for rewards, which are sometimes in the six figures. Contrary to other companies, however, Apple has not disclosed or discussed any details of the bounty program after announcing it in 2016..
Adam Donefeld, a researcher at mobile security firm Zimperium said that he has submitted several bugs to Apple and received payments for the company. Donefeld was not part of the first batch of security researchers who were personally invited by Apple to visit its Cupertino campus and asked to join the program. But after submitting a few bugs, Donefeld told me, an Apple employee asked him if he wanted to be part of the bounty program in a phone call.
“I know Apple pays people,” Donefeld said in an online chat. “I'm certainly not the only payout.”
Apple did not respond to a request for comment.
Another researcher, who asked to remain anonymous because they are worried about souring their relationship with Apple, said that they have submitted a few bugs and been awarded bounties, but has yet to be paid.
“I haven’t been paid this year because I’m still waiting for last year payments,” the researcher told me. “But yes, for those previous bugs they gave me CVE [a standardized code to identify vulnerabilities]. And I got confirmation that they were eligible for a bounty, with confirmation of the amount.”
Two other researchers told Motherboard they also have concerns with or have had trouble with the program. One said they weren’t paid for a bug they submitted (Motherboard could not independently confirm that the researcher did not get a payment), and another said they didn’t want to participate in it at all, even after being invited.
“Never submitted anything myself, after I heard from bad experiences of others,” another researcher, who also asked to remain anonymous, said.
The researcher explained that he had found a vulnerability but by the time he developed an exploit for it, months later, it had already been reported by someone else. In his opinion, the program isn’t going very well for Apple.
“I would wager a guess and say Ian Beer had more impact on iOS kernel security than all of the submissions they got through that program combined,” he told me.
Beer is a hacker working for Google Project Zero, the elite team of researchers tasked with finding vulnerabilities in all kinds of devices and services. At the Black Hat conference this year, Beer spoke about finding bugs in iOS, and challenged Apple to donate almost $2.5 million in unpaid bug bounties to Amnesty International.
For now, Apple appears to be happy about how the bug bounty program is going.
“There are many champions of the program from the security side and the software engineering side,” said an Apple employee familiar with the program who spoke on condition of anonymity because he was not authorized to talk to the press. “There’s a discussion about making a formal bounty program and team to manage that program.”
“There’s support for it philosophically,” he said, adding that there have been “a few payouts.”
Got a tip? You can contact this reporter securely on Signal at +1 917 257 1382, OTR chat at firstname.lastname@example.org, or email email@example.com
Solve Motherboard’s weekly, internet-themed crossword puzzle: Solve the Internet.