A security researcher has complained about reduced payments from discovered macOS flaws by Apple's bug bounty program, despite Apple raising the maximum for more high-profile rewards.

In October, Apple said that the payouts in its Security Bounty program will increase considerably in November. While the bounties for some high-profile exploit chains have grown to as high as $2 million, complaints are being raised about other awards for some macOS categories.

In a post to LinkedIn, IRU macOS security researcher Csaba Fitzl claims that the Apple Security Bounty "devalued" macOS. The devaluing is apparently demonstrated by the lowering of awards for disclosing some specific bypasses.

"Full TCC (privacy) bypasses are down from $30.5k to $5k," Fitzl writes, while other individual TCC categories are reduced from payouts between $5,000 and $10,000 to just $1,000.

TCC means Transparency, Consent, and Control, features of the operating system to only permit app access to a user's personal data after meeting specific requirements. A TCC bypass means the attacker will have managed to get around Apple's protections, accessing data without gaining the user's consent.

Under the updated program, as checked by AppleInsider on December 2, Apple will pay $1,000 if someone has physical access to a locked Apple device and can access one class of sensitive user data. Its example is a logic bug on a Lock Screen to view the last edited note.

Other low-value rewards include creating a malicious iPhone app to gain limited access to one data class, such as the last photo taken by the user, without consent. Web content code execution can pay up to $10,000, with reductions to $5,000 for an arbitrary read-write mechanic, or just $2 for an arbitrary register control.

For macOS specifically, a bypass of Gatekeeper with limited user interaction could earn up to 10,000. Capturing a TCC target flag with an unsandboxed app earns $5,000 while a sandboxed version gets up to $10,000.

Obtaining sensitive data protected by TCC without the TCC target flag earns up to $1,000. Meanwhile, a sandbox escape that only works on macOS can get up to $5,000.

Smaller carrot, smaller field

To Fitzl, the low bounties are viewed as Apple saying it doesn't care about the Mac anymore. They continue that Apple is seemingly admitting it can't fix everything and it doesn't care anymore, or at least are "not willing to pay for it."

The researcher claims there aren't many people looking for macOS platform vulnerabilities in the first place. With lower rewards, Fitzl presumes the move could reduce the herd of macOS researchers even more.

It could also hurt macOS security in other ways, they continue. Researchers may turn to other platforms in response, or worse, be tempted to sell exploits to third-party companies for a high price.

Picking targets

While macOS-specific awards are somewhat lacking, Apple did raise other award categories by significant levels. In its October announcement, it raised the zero-click chain award for a remote attack without user interaction from $1 million to $2 million, while attacks with a single click could earn the submitter up to $1 million, up from $250,000.

Wireless proximity attacks also saw a boost from $250,000 to $1 million. Attacks on a locked device with physical access rose from $250,000 to $500,000 at the same time.

Apple also outlined a $100,000 award for researchers reporting a full macOS Gatekeeper bypass with no user interaction.

At the same time, to encourage low-impact issue reporting, Apple said it would roll out a $1,000 award alongside CVE assignments and researcher credits.

While Fitzl may be right in that the level of awards for macOS-related research are low, it is also worth considering that Apple's higher awards go after very justifiable attack vectors.

Bounties with a connection to iOS are high in particular because of the sheer number of iPhone units on the market. Apple's revenue is driven chiefly by iPhone sales, with Mac being quite far behind.

Similarly, remote attacks without user intervention are also given high awards because of the impact they can make on Apple's users, on a variety of different product lines.

Apple certainly could offer extremely high bounties for macOS submissions if it wants. But it's a sheer numbers game, and Apple has to value its largest audiences the most.

For the moment, that's iPhone users.