A year through when Apple launched the bug bounty program on iOS, the invitational deal of the iPhone maker has not yet attained its resolute success since key players in this bug-hunting venture are nonchalant to act up. Participating individuals—security researchers and hackers—are said unwilling to report exploitative bugs and vulnerabilities to Apple due dirt cheap rewards.
Apple has been putting up to US$200,000 as recompense at stake to every member of its iOS bug bounty program who can report to the company any malicious bug living around the mobile operating system. But the said bug-hunting program cannot seem to find itself in the right place until now as researchers and hackers are not willing to capture or report spiteful elements lurking within iOS, leading to its relative failure.
Nikias Bassen, a security researcher who has been a member of Apple's program since last year, told iPhone Hacks that they could sell the bugs to other companies to earn much more money than Apple's bounty. Washington, DC-based information security firm Zerodium can pay up to a million dollar for a zero-day iOS exploit disclosure.
"Even then though, Apple's bugs bounty program seems to be a failure," states the publication, "as the company clearly seems to have undervalued iOS bugs."
Apple is clearly losing this game to third-party companies. There have been no pronouncements from the company if it is planning to raise the bar with regards to rewards and incentives. Last year, Apple shook the information security space by transporting researchers to their Silicon Valley headquarter, convincing them why they should jump on board the program. Today, the popularity has waned, giving Apple the lower hand.
It is worth noting that there could be a few researchers who chose to disclose to Apple the bugs they have discovered and decided not to publicly announce it. Money is not the sole consideration in this bug-hunting program. Many researchers could have just kept the bugs to themselves to study them.