According to a report from Motherboard, iPhone, iPad and Mac bugs are too valuable to report to Apple, which leads to sky-high prices for iOS and macOS exploits on the grey market.

“For now, security researchers who have been invited by Apple to submit high-value bugs through the program prefer to keep the bugs for themselves,” reads the article. All of the eight bug hunters that the publication interviewed said they have yet to report a bug to Apple.

According to Nikias Bassen, a security researcher for the company Zimperium, and who joined Apple’s program last year:

People can get more cash if they sell their bugs to others. If you’re just doing it for the money, you’re not going to give bugs to Apple directly.

Apple’s bug-bounty initiative debuted at the Black Hat conference in August 2016.

The program offers between $25,000 and $200,000 for an iOS or macOS exploit, depending on where it is and what it does. For now, the initiative is invite-only.

As The Loop’s Dave Mark put it, the question here is, are the bugs valuable enough for Apple to raise their bounties to compete with the grey market?

  • burge

    The question is the people who find these and then sell them too shall we say questionable people/company’s are they happy knowing that there bug could be used in a questionable way to exploit a device. They might be selling to the highest bidder but that in itself could lead to viruses on those devices, this is cash over security and pure greed at its finest. This is basically trying to blackmail Apple for more cash.

    • Abhinav Chaudhary

      Just put yourself in their shoes and imagine what would you do? Do you know coding? I don’t know that but being an Computer Science engineer I can tell you what’s it’s like to find that glitch or bug in your own code, sometimes it may take days just to figure out the problem in the code of just 20,000 lines that you wrote. Now imagine finding a bug (not talking about 20,000 lines) in a vast ocean of code and then get a disappointing reward for it. I am not at that level that I can look into machine code of an OS but if I was, I would do the same thing as these people are doing especially since I know the value of the work and time I would put into this program.

      • burge

        So your saying that if Apple invites you to this program as that’s the only way on it you’ll except the offer then not pass over what you’ve found. ( and get paid for it ) This just sounds like you want to boast about doing this for Apple and your then not honouring why you agreed to do it in the first place. Why join only to sell to someone else.

      • Abhinav Chaudhary

        Yep, that’s exactly what I am saying. And why will I do it? To make money, doesn’t everything we do is to make money (literally not everything) even this post is written to make money, if apple while making billions a year pays me less and if I have an option to make more money, then the question is. Why the F**k not?

      • burge

        What if that bug that you found was used in a way that could be used in such a way it effects something that could put human life at risk, you’ll be happy about that would you, So your putting a price on a life.

        This is just theoretical obviously.

      • mickey

        Putting a life on an exploit is a slippery slope that you can apply to a lot of things. Regardless, that is a moral question only each person can decide. If a billion dollar company valued those exploits more than they could at least price the payouts competitively.

      • burge

        I did say theoretically.

        So you think that a payout of 25000 to 200000 is not enough. And if Apple really wants that exploit so it can be patched i’m sure they’ll pay for it.

        You’ve just brought the word “moral” in to it. Where are these people’s morales when they agree/accept Apples invite to help find these exploits and then go on to sell them to the highest bidder.

      • Abhinav Chaudhary

        Those are normal people (in terms of wealth) while Apple as a company is not normal. And with great powers come great responsibilities. Apple here is the one that MUST act on moral grounds while normal people can do whatever they want cause they are not powerful like Apple. Like superman must do right things to set an example while normal people can do whatever they want.

      • burge

        so just because it’s Apple you think that you/they deserve more cash.

        This is on the bounds of blackmail.

      • Abhinav Chaudhary

        Great power man, Great power.

      • Man I’m in the wrong job… here I would have thought that getting $200,000 would have been fantastic. LOL, what do you all do for a living then?!

        But joking aside, in terms of industry standards Apple isn’t the highest payer out there but it’s higher than average. I fail to understand the reasoning that, just because Apple is rich they owe others more stuff. Last time I checked the average income in America is a little over $32k. So even if it took 6 years of hard work to find 1 kernel exploit you’d still be ahead of the general population in terms of average income. Personally that doesn’t sound like a ripoff to me.

        Are there criminals and governments that would pay more? Yes, but unless Apple was prepared to start paying over $1,000,000 for exploits they are still going to have this issue. And to be quite frank if the argument is that, if Apple doesn’t pay enough you will hand over an exploit to a criminal you’re now in the realm of blackmail.

        Personally I would turn over an exploit I discovered to Apple even if there wasn’t a bounty program but that’s perhaps just me.

  • M_Hawke

    Well, if Apple is serious about this, then they would outbid the grey market.

  • Diego Milano

    Interesting article. There were a lot of internal discussion within Reddit for those people who wanted to raise funding for a jailbreak, and some people were saying no matter how much we would be able to collect, Apple would dwarf it. I wonder what this new figure means in that context…

  • Rick Hart

    What the hell is the grey market? Guess that shit is gonna change colors.

    • Mikasa Ackerman

      The grey market is the guys who hack stuff for fun, but don’t plan to do anything malicious with the exploit… generally they will seek a cash reward or sell the exploit to someone who will do something malicious 😉 they just don’t give a F***.

  • synthmeister

    So, what does the black market pay for iOS exploits? Is it exponentially higher? Is Apple that far off the going rate?