Apple is once again confronted with sharp criticism of its bug bounty program, with which the group actually wants to keep its devices and operating systems safe. A group of well-known IT security experts continue to see major problems with the public troubleshooting project that Apple launched five years ago. The security professionals complain to the Washingon Post Among other things, too little communication, long delays caused by Apple and a system that is too complex and confusing, which brings in how much for the gaps that have been discovered.
Apple communicates too little – even with researchers
Katie Moussouris, founder of the security firm Luta Security, who herself helped the US Department of Defense set up its own bug bounty program, put it this way: “This is a [Programm], in which the house always wins. “Apple has” a bad reputation in the security industry “, which in turn will mean that the products are” less safe for the customers “and thus also increase the costs.
In fact, Apple had recently failed customers on several fronts. It is still unclear whether all the vulnerabilities exploited by the problematic spyware Pegasus have been fixed – Apple steadfastly refuses to provide any information. In addition, the group is planning a highly controversial child abuse scanner directly on iPhones and iPads, which would have broken explicit data protection promises.
The bug bounty issues compared to the Washington Post confirmed by more than two dozen security researchers, concern among other things the work on the reported bugs. These are slowly being fixed and it happens again and again that the actually communicated bounty sums have not been paid out. The Whitehat hackers believe that this can be seen in the total payout amounts. In 2020, Apple’s coffers only got $ 3.7 million in bounties, Google reached $ 6.7 million and Microsoft $ 13.6 million. Of course, this is also related to the extent of the security gaps, but Apple operates an enormously large platform with, for example, over a billion iPhones on the market. Apple is also reluctant to communicate its bug bounty program. Google often praises researchers, Apple only mentions them briefly in the credits of its updates.
Massive backlog of bugs?
In addition, there is supposed to be a “massive backlog” of reported bugs, as insiders report. Overall, there is a lack of openness on the part of Apple. Ivan Krstic, one of the company’s most important security managers, commented that the program was “a success” and that Apple paid out twice the amount of money in 2020 than it did in 2019.
But one is still in the process of “scaling up” the program. There should be “new rewards for researchers” in the future to expand participation. There is a constant search for new ways to provide better research tools “that fit our rigorous, industry-leading security model.” Apple now awards rooted iPhones to selected researchers. In the future, it should be even easier to report gaps, according to the group. Apple is also said to have hired a new boss for the bug bounty program.