Irish playwright Oscar Wilde famously described a cynic as “A man who knows the price of everything and the value of nothing” – now some researchers are claiming Apple may fit that description as the company, by pricing its bug bounties low, appears to not know the true value of its own zero day exploits.
In August 2016, Apple’s head of security announced his firm was launching a bug bounty yet nearly a year later there is no evidence that any bounties have been claimed.
While the lack of submissions could be a testimony to the security of the Apple platform, some feel that this is an indication Apple has misread the bounty market and isn’t offering the fair payouts to those who spot zero-days in the platform.
Not long after the announcement of Apples new program security researcher Jonathan Zdziarski tweeted from a now deleted account the question of “If you had a 0day, would you sell it to Zerodium for $1.5m, or Apple for $200k?”
Zerodium is an exploit acquisition program that offers large payouts for zero-days in major operating systems.
Organizations often don’t realize the various complexities that go into scoping a program and pricing vulnerabilities and may end up stalling their bug bounty programs, Bugcrowd Vice President of Operations David Baker told SC Media.
“The natural evolution of a bug bounty program results in rising payouts,” Baker said. “As companies like Apple continue to both adopt programs and learn how to best manage pricing vulnerabilities the risk of hackers selling serious vulnerabilities (e.g. an iOS backdoor) to companies like Zerodium will be reduced.”
Some researchers are also reluctant to share Apple researcher out of fear that it may prevent them from doing their own research as well.
“Apple has to compete with the true value for the bugs they want to buy,” Dan Guido, the CEO of the cybersecurity research firm Trail Of Bits, told Vice’s Motherboard. “They’re trying to buy game-over stuff at $200,000, but it’s just worth more than that.”
In addition, researchers told the publication Apple refuses to offer special devices to researcher that don’t have certain restriction such as sandboxing to make them easier to hack and greater explore potential vulnerabilities.