Tech Firms Raid Security Flaws with ‘Bug Bounty’ Programs

In the security world, “bug bounty” programs are becoming more common, from Facebook to the Department of Defense. Hackers who can reveal the hidden vulnerabilities of a device, system or corporation can reap significant financial rewards. Apple launched its program in 2016 and offers payouts of up to $1 million for the most elusive flaws. The tech giant reportedly spent $3.7 million on such exercises in the 12-month period ending in July 2021, during which time Google shelled out $6.7 million and Microsoft spent $13.6 million. Such programs have become a valuable tool in security maintenance, putting hackers’ inquisitive natures to productive use. 

Facebook, Microsoft and Google tout their programs and publicize bounty-baggers on leader boards and in blog posts, according to The Washington Post. Companies host conferences and provide resources to encourage a broad international audience to participate, fueling global competition in cyberhacking, with what’s known as Capture the Flag (CTF) contests. DEF CON, held annually in Las Vegas, lets finalists compete for a grand prize that was $2 million in 2019.

The code wranglers might say you get what you pay for. Apple, which pays the least of the big three unpacked by The Post, got a couple of low marks in a survey of more than two dozen security experts. Among them, Luta Security CEO Katie Moussouris, who warns Apple’s less than glowing reputation among cybersecurity enthusiasts will lead to “less secure products for their customers and more cost down the line,’” WaPo reports. Apple, so the story goes, is “slow to fix” newly discovered bugs, has an “insular culture” that creates “a blind spot” and has been accused of stiffing the occasional hacker.

Apple has been quick to swat away criticism. According to the company’s security engineering and architecture chief Ivan Krstic, “The Apple Security Bounty program has been a runaway success,” nearly doubling its bounty payouts in in 2021, for year-over-year. Apple claims to be leading the industry in “the average amount paid per bounty.”

Of course, money isn’t the only measure of success. Hackers place a premium on community and candor, with tight-lipped Apple also scoring low in the latter category.

“You have to have a healthy internal bug fixing mechanism before you can attempt to have a healthy bug vulnerability disclosure program,” explained Moussouris, who also helped create Microsoft’s bug bounty program. Apple allegedly has “a massive backlog of bugs that it hasn’t fixed,” according to two who spoke to WaPo on background. In fact, some discouraged bug bounty hunters are so put off by Apple they’ve sold its secrets to the “gray market,” which include government agencies and hacking firms.

The security of Apple’s iPhones has come under scrutiny this summer after it was revealed that Pegasus software created by Israeli’s NSO Group enabled the hacking of phones belonging to human rights advocates, journalists and politicians.

The Washington Post was part of that investigation, which uncovered evidence of “successful or attempted hacks on 34 iPhones,” including the newest models with the software updates.” “Apple unequivocally condemns cyberattacks against journalists, human rights activists, and others seeking to make the world a better place,” Krstic said in a statement at the time.

Still, to date, Apple devices seem to be hacked less, and security has been a strong selling point for its computers and phones. In 2020, Apple reports it patched 13 zero-day exploits, which could have been leveraged by cybersecurity hackers.

Related:
Apple Issues Emergency Security Updates to Close a Spyware Flaw, The New York Times, 9/13/21