While many Silicon Valley tech companies famously employ ‘bug bounty’ programs whereby individuals or third-party groups can receive substantial monetary rewards for finding critical software bugs, Apple is curiously the odd man out. Whether it’s Google handing out $12,000 to a former employee who managed to purchase the Google.com domain name or Facebook paying $15,000 to a security researcher who happened upon a way to unlock any user’s account, paying cold hard cash to learn about previously undetected security vulnerabilities is not only commonplace, but also makes a lot of sense.
With this in mind, The New York Times recently posed an interesting question. Given that the FBI has enlisted the help of Cellebrite to access Syed Farook’s locked iPhone, is it possible that the company might have gone to Apple directly if it had a bug bounty program in place?
The company has yet to give hackers anything more than a gold star. When hackers do turn over serious flaws in its products, they may see their name listed on the company’s website — but that is it. That is a far cry from what hackers can expect if they sell an Apple flaw on the thriving underground market where a growing number of companies and government agencies are willing to pay hackers handsomely.
The disclosure by the United States government on Monday that an unknown third-party had approached it — and not Apple — to help open a controversial iPhone only highlights how the giant company approaches bug-hunting efforts and security differently from the rest of the tech industry.
Indeed, Apple in the past has seemingly engaged in a game of ‘catch up’ where it tries to quickly develop a patch for an outed software glitch and then have users download the update ASAP. Perhaps Apple could avoid this whole routine, and further protect its user base, if it was more willing to shell out some cash to security researchers and tinkerers. Interestingly enough, it’s not uncommon for security researchers to publicize a software vulnerability after reportedly having their initial communications and warnings with Apple go unheeded.
Speaking on the matter, HackerOne chief policy officer Katie Moussouris told the Times: “Especially with the stakes being as high as they are, if Apple wants to continue to compete in the modern world, they have to modernize their approach.”
Of course, it’s entirely plausible that Apple would rather spend money on hiring security experts than they would on paying bug finders in it for the money. Recall, a security agency late last year offered upwards of $3million for anyone who could come up with a “workable, remote and untethered jailbreak that will persist even after reboot.” That said, maybe Apple simply doesn’t want to encourage that type of ‘research’ to begin with.