Apple pays a lot of money for vulnerabilities found, but does not always fix them

Apple pays a lot of money for vulnerabilities found, but does not always fix them

Apple has supported the Vulnerability Bounty Program for five years now, offering up to $ 1 million for the most dangerous issues. However, many cybersecurity experts complain that the company fixes vulnerabilities with delay and does not always pay adequate remuneration. In general, the researchers believe that Apple's closed approach only harms the program and jeopardizes security, writes The Washington Post.


Apple launched the bug bounty program in 2016 and was closed until 2019. According to Ivan Krstic, head of security development at Apple, this year the company has paid twice the amount of awards last year and leads in the average amount of compensation for vulnerabilities.


However, researchers interviewed by TWP disagree with this statement. Similar programs like Facebook, Microsoft and Google are more open and provide more resources to reach a wider audience of experts, they said. Plus, many of them pay more than Apple.


For example, in 2020, within the framework of the compensation program, Microsoft paid researchers a total of $ 13.6 million, Google - $ 6.7 million, and Apple spent $ 3.7 million for these purposes.


In addition, Apple does not go into details as to why it decided to pay or not pay for a particular vulnerability, sources say. At the same time, the company accumulates vulnerabilities that remain unpatched. Because of this approach, many researchers do not report the problems they find to Apple, preferring to sell them to government departments or companies that develop hacking tools.


According to Krstic, Apple intends to improve its approach to the reward program, respond more quickly to reports from researchers, and add new incentives.

Previous Post Next Post