14 DAY TRIAL // Microsoft’s bug bounty programs have flourished in the last couple of years, with the company paying thousands of dollars to security researchers who discover and report vulnerabilities in its top products, like Windows and Edge browser.
But as compared to Microsoft, Apple seems to be going in the opposite direction, with security researchers choosing to sell bugs to third parties rather than to the company because of a very simple reason: Cupertino isn’t paying enough money for their work.
According to Apple’s own bounty program, the iPhone maker would pay up to $200,000 for a secure boot firmware up and no less than $100,000 for extraction of confidential material protected by the Secure Enclave Processor.
Microsoft says it has paid over $200,000 in bounties for Microsoft Edge browser alone in just 10 months, according to a recent statement of Akila Srinivasan from the Microsoft Security Response Center.
Not paying enough
At first glance, security researchers could be making a fortune if they indeed discover such vulnerabilities in Apple products, but according to a Motherboard report, these findings are substantially more valuable. And this is the reason third parties pay much more money to security researchers, then selling the bugs to companies and even worse, to governments and intelligence agencies.
The report mentions iPhone bugs that could allow an iPhone to be jailbroken as a finding that Apple would reward with a dramatically lower bounty that third-party companies. For example, one company called Zerodium pays no less than $1.5 million for such vulnerabilities, while another firm, Exodus Intelligence, offers a $500,000 reward for this kind of exploits.
Apple, however, is trying a different approach. While researchers do not make enough money by reporting bugs to the company, the iPhone maker uses to invite security experts finding bugs in its products to its own headquarters, taking them out for dinner and holding presentations and meetings to discuss how the security of Apple’s solutions can be improved.
The report says that Craig Federighi, Apple’s senior vice president of software engineering, himself attended some of these meetings with researchers, most likely in an attempt to show just how important the bug bounty program is for the company.