Ian Beer, a member of Google’s security-focused Project Zero team, wants Apple to pay a charity of his choice nearly $2.5 million for finding various exploits and bugs in iOS. Google, Microsoft, and almost every other major tech company have a bug bounty program where they give a hefty reward to anyone who discovers a bug or exploit in their products or services.
While Apple also has a bug bounty program of its own, security researchers first need to be invited to the company’s bug bounty program before they can win a bounty for reporting any bug or a zero-day exploit.
Hi @tim_cook, I've been working for years to help make iOS more secure. Here's a list of all the bugs I reported which qualified for your bug bounty since its launch, could you invite me to the program so we can donate this money to @amnesty? pic.twitter.com/VUKj7BaJ4P
— Ian Beer (@i41nbeer) August 8, 2018
Ian Beer is not a part of Apple’s bug bounty program which is why despite finding and reporting bugs and vulnerabilities in iOS, Apple has never rewarded him with any bounty. A quick calculation by Beer shows that Apple would have had to pay him $1.23 million in bounties for all the reported bugs and vulnerabilities. Factor in Apple’s offer of doubling bounties when the payment is made to charity and the amount increases to $2.45 million.
Beer also criticised Apple for its bug bounty program after one of his presentations on the look at iOS security. He said that while the bug bounty program launched by Apple in 2016 gave it good PR, it has actually done little in real life.
“I don’t think Apple intended to use the bug bounty program as a PR tool, but obviously it’s given them plenty of good PR; these supposedly high prices are frequently quoted and, like the million dollar dissident, used as this comfort blanket you can wrap yourself in,” Beer wrote in the notes of one of his presentation slides.
Given that iOS zero-day vulnerabilities are rare to find, it is actually more lucrative for a security researcher to sell it in the black market for a far higher sum than what Apple would pay as a part of its bug bounty program. This ends up making Beer’s stance on this matter even more notable. It will be interesting to see if Apple gets around to fulfilling Beer’s demands or not.
[Via Business Insider]