Is Apple’s Bug Bounty Program Making You More or Less Safe Online?
Companies that develop software and apps typically have some sort of quality assurance process in place where their product updates are tested quite thoroughly in-house before they are released to the public. However, given the numerous scenarios in which the products are likely being used by its customers, it is almost impossible for any type of quality assurance testing to find every single issue that could exist in a software application or app. As a result, it is often the product users who end up finding these issues, or bugs as they are commonly referred to, after the product has been released and often at inopportune times.
The natural next step when you find an issue with a software product or app is to contact the company to report it, and then hope that the company is able to provide a quick fix. It might also leave you wondering why the company did not find this issue as part of its testing, and maybe even why are you doing their job for them.
If you have ever found a bug in a software product or application, have you ever thought about what it might be worth to the company (from a monetary aspect) if you were to report the bug to them? After all, you could end up helping a lot of the company’s customers by your find.
Apple feels it’s worth rewarding its customers for reporting issues with its products, so much so that it launched a bug bounty program in 2016, where it is offering between $25,000 – $200,000 if you find and report what they feel is a serious bug in the latest shipping version of its iOS app. Apple states it is even going so far as to match donations of the bounty payment to qualifying non-profit organizations.
But before you decide to devote your free time looking for bugs in Apple’s iOS app hoping to profit big, understand that some feel Apple is actually trying to discourage its customers from participating in the bug bounty program by making it nearly impossible to find the program information online, possibly in attempt to prevent having to make the bounty payouts while still getting enough information about issues from customers so they can fix them.
Another fallout that has resulted from the bounty program is that some researchers who have found bugs are holding off on reporting them because they feel Apple should be offering higher payouts. These researchers are finding that they can make more money by selling these bugs to third parties, who eventually end up exploiting the vulnerability.
So, is the Apple Security Bounty program making you more or less safe online, given that those who are finding bugs in Apple’s iOS platform are becoming reluctant to report them and instead selling them to others who could end up causing even more harm? Industry experts say this could end up Apple costing more in the long run if serious bugs are unreported.
Technical Framework provides services to assist organizations with preventing cyberattacks. These services include ethical hacking, assessment of your organization, risk intelligence, firewall management, and data leak prevention. Please contact us to learn more about our free consultations.
