ANALYSIS: Apple Is Going To Pay Researchers Who Find Bugs In Its Products

(The Washington Post) -

Apple will finally start paying out cash rewards to researchers who find security problems in their products, the company announced at the BlackHat cybersecurity conference in Las Vegas Thursday. But the news left some experts wondering why Apple was so late to the party.

So-called “bug bounty” programs are now standard among most tech giants. They can help keep consumers safe by encouraging independent researchers to help companies fix security flaws. When a researcher finds a legitimate problem, rewards can range all the way up to the six figures.

But Apple historically had a different approach — offering a tipline where people could report security problems, but not handing out any reward other than putting the researcher’s name on a thank you page on its website.

“It was kind of an insult,” said Matthew Green, a computer science professor at Johns Hopkins University who has previously told Apple about security problems in its products and didn’t know why it took them so long to launch a bounty program. “Maybe after San Bernardino they felt there was some pressure to acknowledge that it wasn’t enough to give people a pat on the back — even if they can’t pay enough to compete with the free market,” he said.

Apple’s lack of a bug bounty program drew criticism earlier this year when the FBI paid an unknown entity more than $1 million for help breaking into an iPhone used by one of the San Bernardino shooters. Without a bug bounty program, some argued, the only way researchers could make money from finding bugs in Apple’s products was selling them off to the highest bidder — in this case, the FBI.

But now, Apple has a chance “to compete for the type of exploits available and control how they’ll be used,” said Jeff Pollard, principal analyst focused on IT security at Forrester Research.

Apple’s new rewards program will launch in September, but won’t be open to anyone. Instead, it will be invite-only — at least in the beginning. But researchers who approach the company with a major problem also will be invited to join. Most programs are open to all researchers.

The program will only reward researchers for finding a few categories of problems at launch. The biggest payouts will be for bugs affecting software built into components that help Apple’s devices start-up securely: Researchers who find one of those could get up to $200,000.

That makes Apple’s bug bounty program one of the most lucrative out there. Google’s program, which launched in 2010, upped its largest bounty — for breaking the security of its Chromebooks — to $100,000 this March. Microsoft’s largest per bug payout is also $100,000.

Apple’s potential big rewards may be aimed at convincing researchers to turn to the company when they find a problem, rather than the open market where vulnerabilities might be bought up for use in criminal or state-sponsored hacks.

But even with Apple’s hefty new payouts, other places may still pay a better premium for ways to hack into the company’s products.

Last year, Zerodium, a company that deals in buying zero-day vulnerabilities from researchers and selling them to large corporations and government agencies, said it paid $1 million to researchers who were able to remotely hack into the latest version of Apple’s mobile operating system, iOS.

The company doesn’t offer the same massive payouts for problems in other products. “No software other than iOS really deserves such a high bug bounty,” Zerodium founder Chaouki Bekrar told The Post last year, citing Apple’s strong security built into its products.

That internal focus on security may be one reason Apple held out against an official bug bounty program so long while, even as other sectors like the automotive industry, airlines and the Department of Defense started to get in on the game.

The rise of Apple Pay may be another factor that pushed the company to be more aggressive about getting help from the larger security community, according to Green.

“They really need to know that system is secure” because there’s actual money at risk, he said. “I think a lot of researchers would rather hand vulnerabilities over to Apple than to someone who is going to use it to steal people’s payment information.”