Askhat - stock.adobe.com
Apple's bug bounty program has shown signs of improvement in recent months, security researchers said, though some major pain points remain.
Apple Security Bounty (ASB), the tech giant's bug bounty program, was launched to the public in 2019. Last fall, several security researchers told SearchSecurity about the challenges of working with the vendor; their criticisms included communication inconsistencies, rejection of bug bounty payouts, and "silent patching," referring to the practice of a vendor fixing a bug without disclosing said vulnerability or crediting the researcher.
In response to these criticisms, Apple told SearchSecurity last fall that it was working to improve its response times, further improve communication and introduce new rewards for researchers.
Six months later, researchers said Apple's communication issues have markedly improved -- especially early this year.
Jose Rodriguez, a prolific ASB researcher typically credited by the handle "videosdebarraquito," said Apple has grown more responsive in recent months -- especially early this year.
Wojciech Reguła, an iOS and macOS security researcher who previously spoke with SearchSecurity about Apple's bug bounty issues, had similar thoughts. He noted that in the last year he's seen "huge improvement."
"I sent six or so emails today [to Apple] with status update requests, and they responded to four in less than 12 hours," he said. "I'd say that the situation changed in the beginning of 2022 -- I guess they hired more people."
Reguła tweeted on March 22 that he received adjudication for a recent vulnerability one week after it was fixed. For a previous flaw, Reguła submitted the vulnerability in June 2020, saw the vulnerability fixed that November, and was only awarded the bounty via a re-adjudication in November 2021.
An anonymous researcher who goes by the Twitter handle "08Tc3wBB" and, like Reguła, previously spoke to SearchSecurity, said he has seen an overall improvement from the vendor over the years. When he reported bugs to Apple in 2016 and 2017 (before the public launch of ASB), the only response he recalled was a "cold, hard automated response message followed by months and months of silence."
This changed starting in 2020, when Apple would start to send an additional reply shortly after the initial response message.
"It's basically an email informing you that a person from Apple Product Security Team has reviewed your report, and that person's name is included. It feels so much better than dealing with an auto-reply bot," 08Tc3wBB said in an email. "It's been this way ever since. I consider it an improvement Apple has made in terms of communication."
Researcher Saurabh Sankhwar likewise noted some improvement in Apple's communication, but said that in his experience, the type of vulnerability will determine the quality of Apple's communication. This includes not just critical bugs taking priority over less critical ones, but also the type of Apple product a bug is submitted for.
"If a bug is related to an Apple product like iPad or MacBook, you may get a reply within 48 hours whether it's a valid bug or not," he said. "If you report a bug related to an Apple-owned website, you might have to wait a long time -- two months -- to get the first proper response from the team."
Sankhwar referenced a vulnerability related to the website for Apple subsidiary Claris. He said he submitted the bug to Apple last May, was asked for crediting information this February, and is still waiting for a bounty payout.
Reguła also noted some variance in responsiveness, saying high-severity bugs got faster response times than lower-severity bugs.
"I've had issues that Apple fixed really fast with great communication," he said, "and sometimes I've had the opposite situation."
Remaining pain points
Brandon Perry, security researcher and Atredis Partners principal research consultant, had mixed feedback for Apple's bug bounty program. He said in a mid-February Twitter thread that he had received no substantial updates for a number of vulnerability submissions in "weeks," despite repeated email requests for updates. He detailed the vulnerabilities, which were related to GarageBand and Logic Pro X, in a blog.
In the blog, Perry said he sent Apple 38 crashes and that two were ultimately deemed security-relevant CVEs (CVE-2022-22657 and CVE-2022-22664). The bugs were originally submitted in December 2021, and Perry received an update from Apple shortly after the Twitter thread was made. He was credited in a March 14 security update.
"It felt like getting any info from Apple until the bugs were pushed in a fix was like pulling teeth," Perry told SearchSecurity. Other programs, like HackerOne and Bugcrowd, are "more responsive and interactive," he said.
Brandon PerryPrincipal research consultant, Atredis Partners
Though he pointed to these issues as room for improvement, Perry said that a turnaround time of four months on 38 bug submissions was "an excellent time-to-bug ratio."
Despite improved communication and response times, complaints about inconsistent patching appear to be an ongoing issue for Apple. For example, the company was recently criticized for its handling of patches with two recent zero-days: CVE-2020-22674 and CVE-2022-22675. The actively exploited flaws were patched in the company's macOS Monterey operating system as well as several iPhone and iPad models; the company, however, has not yet offered similar patches to Mac computers running macOS Catalina and Big Sur.
Rodriguez noted another ongoing issue: low payouts. Apple advertises some of the highest payouts among vendor-run bug bounty programs, but Rodriguez said Apple would often "lowball" vulnerability payouts down to a fraction of the example figures on Apple's website. In a recent example, he referenced a vulnerability that had a lower-end advertised payout of $100,000 and a higher end of $250,000. The payout he will be awarded, he said, is $25,000 -- one-fourth of the lower end.
Another security researcher, who asked to remain anonymous, similarly described Apple's payout list as "not detailed enough." However, they said they've sometimes received slightly larger bounties than they expected, and that payouts may differ based on report quality and vulnerability impact.
On the other hand, the researcher described a recent case where they reported an exploit chain to Apple and the vendor paid the bugs out individually rather than an enhanced bounty that recognizes the chain as a greater issue.
Apple has not responded to SearchSecurity's request for comment at press time.
Alexander Culafi is a writer, journalist and podcaster based in Boston.