In an interview with Motherboard, the researchers are invited to participate in the Apple program for finding vulnerabilities in iOS, said that vulnerability of the operating system is too valuable to report them. Hackers are reluctant to share with Apple about found bugs, as the grey market, this information is worth more.
“People can earn more if you sell the found vulnerabilities to others, – said Nikis Swimming pool-indoor, security officer at Zimperium, which joined the search of vulnerabilities Apple last year. – If you do this just for the money, you will not be able to inform you about vulnerabilities in Apple”.
Out of ten professionals surveyed not one of them and send a report to Apple.
Announced at the Black Hat conference 2016 the program to detect bugs in the iOS is aimed at identifying zero-day vulnerabilities and increase security of the platform.
The maximum amount of compensation paid under the bounty program, Apple is $200 000. Moreover, the company has restricted the field of activity of hackers. The search for vulnerabilities is conducted in five specific categories, the priority of which is embedded a program protected download. The goal is to eliminate the ability to run unauthorized programs while switching on the device on which iOS is installed.
There are less generous benefits. For example, unauthorized access to iCloud data on Apple servers, the company will pay $50 000, and for access to user data – $25 000.
Private companies, such as Zerodium willing to pay hackers more than $1.5 million for a full set of vulnerabilities that allow to install the jailbreak on your iPhone. Other firms agree to accept reports of “holes” in iOS for $500,000, but the cost depends on the value of the bug. Companies claim that they are acting within the law and sell information about vulnerabilities to companies that want to protect their system or law enforcement.
Hackers refuse to tell Apple about the vulnerabilities because it threatens their own research. iOS has a very serious security system, which complicates the process of finding vulnerabilities. Providing information about security flaws Apple ensures that soon it will correct, but this is clearly not necessary for the hackers.
Apple invited researchers in the field of security asked the company to provide a special iPhone or device “for developers”, which will be deprived of certain constraints, usually present in publicly available models. These samples would allow hackers to inform Apple about errors and to conduct research deeply into iOS. Apple refused to provide such a device.
At the moment, bounty programs have with many large companies, including Facebook, Google, Microsoft and Yahoo. Microsoft, which launched the initiative four years ago, has paid the hackers a total of $1.5 million. the Company also offers high fees for finding certain types of vulnerabilities. The two largest payments were $100, 000 each.