In addition to Wardle and Bassen, I spoke to eight bug hunters in the program after granting them the condition of anonymity, which they requested to talk freely about the confidential details of the program. All of them said they have yet to report a bug to Apple, and none of them know of anyone who has. Apple declined to comment for this story.In September 2016, Apple flew Wardle, prominent iPhone jailbreaker Luca Todesco, and a small, select, group of white-hat hackers to its Cupertino headquarters.During their stay, Apple pitched the researchers on collaborating with the company by joining the bug bounty program. Apple security employees gave presentations, took the researchers out for dinner, and gave them a chance to chat and discuss their work. Even Craig Federighi, Apple's senior vice president of software engineering, made a surprise appearance to meet and greet the researchers, according to two sources who attended.
"If you're just doing it for the money, you're not going to give [bugs] to Apple directly."
But it's not just about the immediate reward. iOS is such a complex, locked-down, and secure operating system that simply to inspect and do research on it, one needs multiple, unpatched, zero-day bugs, perhaps even a full-fledged jailbreak, according to researchers. In other words, you need unknown bugs just to find bugs in other parts of the operating system that might be otherwise locked.That's why some prefer to keep their bugs and continue doing research rather than handicapping themselves for a reward of few thousand dollars."Nobody is going to kill bugs unless they're fucking dumb," Luca Todesco, a well-known iPhone jailbreaker, told me a few months ago. "Just because they will kill their own future […] If I kill my own bugs then I'm not able to do my own research."
"Nobody is going to kill bugs unless they're fucking dumb."