A security researcher employed by Google has suggested that Apple should pay almost $2.5M to charity in return for reporting the iOS bugs he has discovered …
Ian Beer is a member of Google’s Project Zero team – which aims to identify security vulnerabilities in other company’s software and then give them 90 days to fix them before public disclosure. The initiative is aimed at making the whole Internet safer by effectively forcing companies to fix their bugs.
Apple has a bug bounty program, in which it pays security researchers for identifying bugs in its operating systems, but unlike almost every similar program, it’s invitation only. Business Insider reports that Beer worked out his reports would have accrued almost $1.23M in bounties had he been invited into the program. Allowing for Apple’s offer to double bounties when paid to charities, that would make them worth $2.45M.
It’s unclear if there was a specific reason Beer went public with his complaints about how Apple handles vulnerabilities and disclosures. He said in the notes alongside his talk that it was because Apple does a “poor job of fixing” the bugs he reports.
Apple launched its security bounty program two years ago, offering a maximum payout of $200k per vulnerability. A year later, however, the scheme was said to be faltering due to the relatively low payouts to researchers.
Researchers can earn much more selling the vulnerabilities to governments or firms involved in cracking Apple devices, with one startup earlier this year offering $3M for zero-day exploits in either iOS or macOS.