According to a report from Motherboard, iPhone, iPad and Mac bugs are too valuable to report to Apple, which leads to sky-high prices for iOS and macOS exploits on the grey market.
“For now, security researchers who have been invited by Apple to submit high-value bugs through the program prefer to keep the bugs for themselves,” reads the article. All of the eight bug hunters that the publication interviewed said they have yet to report a bug to Apple.
According to Nikias Bassen, a security researcher for the company Zimperium, and who joined Apple’s program last year:
People can get more cash if they sell their bugs to others. If you’re just doing it for the money, you’re not going to give bugs to Apple directly.
Apple’s bug-bounty initiative debuted at the Black Hat conference in August 2016.
The program offers between $25,000 and $200,000 for an iOS or macOS exploit, depending on where it is and what it does. For now, the initiative is invite-only.
As The Loop’s Dave Mark put it, the question here is, are the bugs valuable enough for Apple to raise their bounties to compete with the grey market?