Apple's crippled bug bounty program makes us all less safe online

By William Gallagher

Paying people when they report serious security issues with macOS and iOS is a good idea but two years on, it's still only done in a half-hearted, miserly way. That's damaging for Apple and it's damaging for us.

There are problems that you cannot find in beta testing but which the millions of people using your products will ultimately spot.

Apple has some of the smartest and most experienced experts searching for problems in its software -- and most of them don't work for the company. Somebody, somewhere will find a problem, and the only question is what they will do with that information.

Right now, Apple has a program to discourage them from coming forward.

That's not how it's meant to be. Officially, Apple has had what it calls a bug bounty program since 2016 -- and it should be simple. If you find a serious bug in Apple's software, the company will pay a reward. That's it. Yes, there are going to be issues over whether you found it first but admin aside, it's straightforward.

Yet, we're three years into the bug bounty and this week Apple made television news by -- shock -- actually paying it out. And perhaps they only did so because of that news reporting.

Good Apple

Apple has done the right thing. It's not only paid some money for the discovery, it's fixed the problem and its release notes credit the people who found it.

People found a bug and reported it to Apple, who fixed it and said thank you. That is what happened and if it had happened in that sequence, if it had been even roughly a straight line through that process, we wouldn't be thinking about it. And, what's much more important, anyone else who finds a bug would go straight to Apple like we want them to. All credit to Apple for fixing this issue and definitely all credit to the company for creating this bug bounty program.

Only, it's as if the people who created the program are in a different office to the ones who are supposed to pay out.

Apple acts as if this bug bounty is an imposition on them, and the accounts department acts as if the amount is going to bankrupt the company. You don't get to become the world's most profitable company by casually spending money, but look at the numbers. The bug bounty is supposed to pay out between $25,000 and $200,000 and even in the short term, Apple's surely lost that in bad PR.

If this had gone another way, if Apple had accepted the bug report, acted on it right away and announced in a more timely fashion that it would pay for the kid's college education as a thank you, the company would be a star. Yes, everyone capable would be leaping on the bandwagon and trying to find a bug to tell Apple -- but that is precisely what they should want.

It's not that we want everybody to love Apple, it's that we want everybody who finds a bug to unhesitatingly take it straight to the company.

Holding out in protest

Also in February, a researcher has demonstrated a new Keychain exploit, that given the right circumstances will allow a persistent and focused attacker to extract your passwords from the Keychain. It isn't so simple that the passwords are downloaded to miscreants when a bad ad is displayed, but it is a vector of attack nonetheless.

And, the researcher isn't sharing the specific details with Apple, beyond a demonstration of the fact that it works -- because of the obtuse bug bounty program. It sure would be better if Apple had all the details here. Certainly, the researcher is holding out which is part of the problem, but the reason why it is being held back is pretty telling.

Not an insurmountable problem

Nobody wants Apple to look like it's alternately in denial and penny-pinching, but it does. Nobody on the side of the angels wants people who find bugs to think it's just easier to sell it to someone who'll exploit a macOS or iOS vulnerability.

Make it clear that telling Apple is the best thing -- and stop hiding how to even do this reporting. Right now, you will have difficulty finding out where to find this bug bounty program. Go ahead, search the Apple website for how you do it.

Maybe you thought about it for a sec and decided that apple.com wasn't the right place, you should search support.apple.com instead. Doesn't matter. No difference.

You'd think it would come up with something

Unless you spend your time figuring out synonyms for bugs and problems -- forget bounty, money, reward -- then the only way to find out how to report a bug is via a Google search. If you instead go to google.com and search "bug bounty at apple.com" then you'll find it.

Or rather, you'll find a Support page called Contact Apple about Security Issues. There's a section for Customers which doesn't mention anything to do with this. There's a section for Developers which tells them to report issues via the regular Apple Developer Connection program that they all have to be enrolled in.

Then, finally, there's a section headed Security and privacy researchers and they are told they can email product-security@apple.com if they want to. That's apparently the one you need but you could fool us because Apple doesn't say so here, it doesn't say so anywhere.

Smarts

If you're clever enough to find a bug, you're smart enough to eventually find the bug bounty program. There's also a good chance that you're smart enough to know that there is good money to be had from the kind of people you don't ever want to have access to bugs.

We're fine with it being difficult to find bad people to sell your bug to, and easy to sell it to Apple. Apple shouldn't be making it as hard to find the good people.

We do not and probably will never know how much money Apple has paid to the discover of this Group FaceTime bug. We also can't actually put a price on how much damage its penny-pinching denial process has cost it this time. Terrible headlines are still popping up all across the internet and social media, despite Apple having already fixed the problem.

It follows, then, that we can't really put a dollar figure on what this means next. You can put too much weight on a single incident but when it's the only incident being talked about, when it's the only incident that makes the news, then it's the one that will be remembered first.

So what we learn from this single incident is that Apple has a bug bounty program but it doesn't want you to know about it. We learn that Apple doesn't really want you to report bugs and it truly does not want to pay out.

And the next time someone finds a serious bug, that could cost Apple -- and us all -- a lot more than between $25,000 and $200,000.

Keep up with AppleInsider by downloading the AppleInsider app for iOS, and follow us on YouTube, Twitter @appleinsider and Facebook for live, late-breaking coverage. You can also check out our official Instagram account for exclusive photos.