Project Zero is Google's effort to clean up code by finding exploits, reporting them to companies, and then giving them a hard deadline before going public. Ian Beer is a Project Zero hacker who focuses on Apple and feels like his efforts should warrant some compensation... for charity:

The gist is, Apple introduced a bug bounty program last year, and pays out double if you donate to charity, but it's invitation only. And, since Beer works for Google, he's already paid to find and report these bugs.

Both having a bug bounty program be invitation only and having a team paid to find other people's bugs are edge cases when it comes to big tech companies.

Apple has also been criticized for not paying as much as nation-states or criminals might for iOS or macOS zero-day exploits. From the start, though, Apple made it clear the bug bounty program was never intended to be part of a bidding war with bad actors but as a way for researchers and white hats to get some compensation for doing the right thing and responsibly disclosing potential exploits.

Apple has a security team that works on its own new features and audits other features to prevent as many exploits as possible from reaching customers, and it also includes a red team that responds to any exploits that are discovered in the wild.

Beer doesn't think it goes far enough, though. If you're into information security, you can check out the slides from his Black Hat talk for more.

Calling out Apple, of course, is a great way to get headlines — including this one. But, ultimately, even the best security architecture and implementation can always be made better, and being challenged and challenging what you do is the best way to improve it.

So, who's right here? Should Apple open up the bug program to Project Zero employees, and many others? Should Google employees already paid to find bugs not try to get bounties as well, even for charity? And, what about Beer's recommendations?