Some researchers are claiming Apple is pricing its bug bounties too low, appearing to not know the true value of its own zero-day exploits.
In August 2016, Apple's head of security announced the iPhone maker was launching a bug bounty, yet nearly a year later there is no evidence that any bounties have been claimed.
While the lack of submissions could be a testimony to the security of the Apple platform, some feel that this is an indication Apple has misread the bounty market and isn't offering the fair payouts to those who spot zero days in the platform.
Not long after the announcement of Apple's new program, security researcher Jonathan Zdziarski tweeted from a now deleted account: “If you had a 0day, would you sell it to Zerodium for $1.5m, or Apple for $200k?”
Zerodium is an exploit acquisition program that offers large payouts for zero days in major operating systems.
Organisations often don't realise the various complexities that go into scoping a program and pricing vulnerabilities and may end up stalling their bug bounty programs, Bugcrowd vice president of pperations David Baker said.
“The natural evolution of a bug bounty program results in rising payouts,” Baker said. “As companies like Apple continue to both adopt programs and learn how to best manage pricing vulnerabilities the risk of hackers selling serious vulnerabilities [eg, an iOS backdoor] to companies like Zerodium will be reduced."
"Apple has to compete with the true value for the bugs they want to buy," Dan Guido, CEO of the cybersecurity research firm Trail Of Bits, told Vice's Motherboard. "They're trying to buy game-over stuff at $200,000, but it's just worth more than that."
In addition, researchers told the publication that Apple refuses to offer special devices to researchers that don't have certain restriction such as sandboxing to make them easier to hack and greater explore potential vulnerabilities.
.png&h=142&w=230&c=1&s=1)
.png&h=142&w=230&c=1&s=1)
.png&w=100&c=1&s=0)
.png&h=298&w=480&c=1&s=1)
