What you need to know
- A new report says Apple's Bug Bounty program isn't up to scratch.
- The Washington Post says the system has a massive backlog.
- It also cites security researchers and hackers who say it pays less than other companies.
A new report into Apple's bug bounty program says the system has a massive backlog of bugs that haven't been fixed, and that participants are not satisfied with how it operates.
From The Washington Post:
...many who are familiar with the program say Apple is slow to fix reported bugs and does not always pay hackers what they believe they're owed. Ultimately, they say, Apple's insular culture has hurt the program and created a blind spot on security.
One expert told the Post that Apple's program meant "the house always wins" and that Apple had a bad reputation in the security industry. The Post says that two dozen security researchers pointed out how rivals like Facebook and Microsoft pay out more than Apple, highlighting the work of researchers and offering conferences and resources. By contrast, Apple was portrayed not only as stingy with payouts but also less transparent:
Payment amounts aren't the only factor for success, however. The best programs support open conversations between the hackers and the company. Apple, already known for being tight-lipped, limits communication and feedback on why it chooses to pay or not pay for a bug, according to security researchers who have submitted bugs to the bounty program and a former employee who spoke on the condition of anonymity because of a nondisclosure agreement.
Two sources, worryingly, told the Post that Apple has a "massive backlog of bugs that it hasn't fixed," and other sources complaining that the "unfriendly nature of its bug bounty program has discouraged some security researchers from pointing out flaws to Apple."
Despite these reports in a statement, Apple described its program as a "runaway success", and said, "we working hard to scale the program during its dramatic growth, and we will continue to offer top rewards to security researchers working with us side by side to protect our users and their data on more than a billion Apple devices around the world."
The full report cites further instances of researchers being paid less than they thought they were owed, or sometimes nothing at all. At least one researcher says they spoke to Apple and said the company was "aware of how they're seen in the community" and was "trying to move forward", even hiring a new leader for its bug bounty program to reform the initiative.