Apple bug bounty program has massive backlog, claims report

Hacker (Image credit: iMore)

What you need to know

  • A new report says Apple's Bug Bounty program isn't up to scratch.
  • The Washington Post says the system has a massive backlog.
  • It also cites security researchers and hackers who say it pays less than other companies.

A new report into Apple's bug bounty program says the system has a massive backlog of bugs that haven't been fixed, and that participants are not satisfied with how it operates.

From The Washington Post:

...many who are familiar with the program say Apple is slow to fix reported bugs and does not always pay hackers what they believe they're owed. Ultimately, they say, Apple's insular culture has hurt the program and created a blind spot on security.

One expert told the Post that Apple's program meant "the house always wins" and that Apple had a bad reputation in the security industry. The Post says that two dozen security researchers pointed out how rivals like Facebook and Microsoft pay out more than Apple, highlighting the work of researchers and offering conferences and resources. By contrast, Apple was portrayed not only as stingy with payouts but also less transparent:

Payment amounts aren't the only factor for success, however. The best programs support open conversations between the hackers and the company. Apple, already known for being tight-lipped, limits communication and feedback on why it chooses to pay or not pay for a bug, according to security researchers who have submitted bugs to the bounty program and a former employee who spoke on the condition of anonymity because of a nondisclosure agreement.

Two sources, worryingly, told the Post that Apple has a "massive backlog of bugs that it hasn't fixed," and other sources complaining that the "unfriendly nature of its bug bounty program has discouraged some security researchers from pointing out flaws to Apple."

Despite these reports in a statement, Apple described its program as a "runaway success", and said, "we working hard to scale the program during its dramatic growth, and we will continue to offer top rewards to security researchers working with us side by side to protect our users and their data on more than a billion Apple devices around the world."

The full report cites further instances of researchers being paid less than they thought they were owed, or sometimes nothing at all. At least one researcher says they spoke to Apple and said the company was "aware of how they're seen in the community" and was "trying to move forward", even hiring a new leader for its bug bounty program to reform the initiative.

Stephen Warwick
News Editor

Stephen Warwick has written about Apple for five years at iMore and previously elsewhere. He covers all of iMore's latest breaking news regarding all of Apple's products and services, both hardware and software. Stephen has interviewed industry experts in a range of fields including finance, litigation, security, and more. He also specializes in curating and reviewing audio hardware and has experience beyond journalism in sound engineering, production, and design. Before becoming a writer Stephen studied Ancient History at University and also worked at Apple for more than two years. Stephen is also a host on the iMore show, a weekly podcast recorded live that discusses the latest in breaking Apple news, as well as featuring fun trivia about all things Apple. Follow him on Twitter @stephenwarwick9