Apple Has Started Paying Hackers for iPhone Exploits

Lorenzo Franceschi-Bicchierai, reporting for Motherboard: In 2016, Apple's head of security surprised the attendees of one of the biggest security conference in the world by announcing a bug bounty program for Apple's mobile operating system iOS. At the beginning, Apple struggled to woo researchers and convince them to report high-value bugs. For the researchers, the main issue was that the bugs they discovered were too valuable to report to Apple, despite rewards as high as $200,000. Companies like GrayShift and Azimuth made an entire business out of exploiting vulnerabilities in Apple products, while other researchers didn't want to report bugs so they could keep doing research on iOS. But two years later, some researchers are finally reporting vulnerabilities to Apple, and the company has begun to award some researchers with bounties, Motherboard has learned.

[...] Adam Donefeld, a researcher at mobile security firm Zimperium said that he has submitted several bugs to Apple and received payments for the company. Donefeld was not part of the first batch of security researchers who were personally invited by Apple to visit its Cupertino campus and asked to join the program. But after submitting a few bugs, Donefeld told me, an Apple employee asked him if he wanted to be part of the bounty program in a phone call. "I know Apple pays people," Donefeld said in an online chat. "I'm certainly not the only payout." Another researcher, who asked to remain anonymous because they are worried about souring their relationship with Apple, said that they have submitted a few bugs and been awarded bounties, but has yet to be paid. [...] Two other researchers told Motherboard they also have concerns with or have had trouble with the program. One said they weren't paid for a bug they submitted (Motherboard could not independently confirm that the researcher did not get a payment), and another said they didn't want to participate in it at all, even after being invited. Further reading: Google Bug Hunter Urges Apple To Change Its iOS Security Culture; Asks Tim Cook To Donate $2.45 Million To Amnesty For His Unpaid iPhone Bug Bounties.

Apple should negotiate each exploit bounty amount

[JoeyRox]

Rather than capping the reward at an arbitrary value, which limits the chances of it being brought to them, Apple should have a policy that negotiates/bids the bounty amount based on the exploit's significance. The process can work by having the hacker demonstrate the exploit to Apple, without revealing how the exploit works, after which they can negotiate the bounty.

Re:Apple should negotiate each exploit bounty amou

[xxxJonBoyxxx]

>> having the hacker demonstrate the exploit to Apple, without revealing how the exploit works

I'm not sure if you're trolling, but in case you're not, I can tell you that just seeing someone exploit your code gives you a LOT of clues as to what the exploit actually is. As a software developer...I've been with >1 companies that get reporting researchers to show us the exploit (against heavily instrumented website/services/etc.) and then we've fixed it without paying/recognizing the researcher AT ALL. In these cases, having a standing reward system actually benefits the reporter, as in "I think I found some XSS vulnerabilities and I'd like to apply for the $1K XSS reward - can we agree to engage under this framework?"

Re:So much for being innovative

[guruevi]

If you read the article, Apple has been offering for years but some sleazy companies and researchers found it more valuable to keep the information hidden.