UPDATE, Oct. 8, 5:36 p.m. ET: A few hours after we published this story, Curry said that Apple had just notified the researchers that they were getting more rewards, bringing the total to $288,500. At this point, according to Curry, Apple has paid rewards for 32 of the 55 bugs he and his friends reported.
The original story follows below.
Five hackers researched and analyzed several Apple online services for three months and found a grand total of 55 vulnerabilities, some of them potentially very dangerous, according to a blog post written by one of the hackers.
One of the worst of all the bugs they found would have allowed criminals to create a worm that would automatically steal all the photos, videos, and documents from someone's iCloud account and then do the same to the victim's contacts.
The researchers said they also found that they could access Apple's source code repository, the place where Apple stores code for "hundreds of different applications, iOS, and macOS."
The five researchers reported all the bugs to Apple, which fixed them quickly, and received a grand total of $55,100 as a payment through the company's bug bounty program.
"When we first started this project we had no idea we'd spend a little bit over three months working towards its completion," said Sam Curry, one of the hackers who did the research, along with Brett Buerhaus, Ben Sadeghipour, Samuel Erb, Tanner Barnes.
"This was originally meant to be a side project that we'd work on every once in a while, but with all of the extra free time with the pandemic we each ended up putting a few hundred hours into it,” Curry wrote in the blog post.
While that may seem like a good chunk of cash, doing some math puts it under a different light. Five researchers worked "a few hundred hours" hacking Apple services to find 55 vulnerabilities over three months. That's roughly $250 per vulnerability for each person, or $17,171 per month for each person. That, according to Dan Tentler, the founder of security company Phobos, is "incredibly low."
"50k is the type of money I'd expect to see in a two to four week security assessment, however the issues these amazingly talented folks discovered are worth orders of magnitude more" Tentler told Motherboard in an online chat. "Imagine if any nation state threat actor discovered those. Imagine how far reaching the damage would be. Apple is signaling that all that is only worth 50k to them. That to me is insane, and contravines all of their huge public marketing campaigns about how they take privacy and security seriously."
Do you research and hack on Apple products? Do you work at Apple? We'd love to hear from you. Using a non-work phone or computer, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, OTR chat at firstname.lastname@example.org, or email email@example.com.
For Katie Moussouris, perhaps the world's foremost expert in bug bounties, the payments may be fair.
"The skills required to find web based vulnerabilities are more commonly found than for mobile or iOS hacking," Moussouris told Motherboard. "Apple would logically reserve higher payouts for hacking its core OS than for hacking its websites. That being said, there’s no question they were willing to pay for the iCloud data compromise and other findings."
"The real question is: could Apple have paid the same amount to professional penetration testers, given them documentation instead of wasting their time doing black box recon, and found the same or more in far less time," Moussouris concluded.
The play-by-play of the researchers' work is a great, detailed, window into the Apple bug bounty program. Announced four years ago, the program did not initially entice researchers to submit any vulnerabilities, but it has slowly started to give out rewards. These vulnerabilities are also a great example of how bug bounty programs just may not be worth it for most security researchers, as they require a lot of work, and the eventual payout—if there is one—may not justify the time investment.
As a former Apple employee joked on Twitter that "bounties are really cheap labor."
To be fair, Curry said that the five will likely get more money in the next few months.
"I feel confident Apple will likely pay what these are worth, but to be fair, we smashed out a large number of issues in a short time period, so to go through the process for them is a bit more tough than someone reporting 1 or 2 issues," Curry said. "I am a bit bummed about the lack of communication regarding this process but beyond that am more than happy with the program."
Still, this is just another example of what many experts think is a big problem in the bug bounty industry. As the cybersecurity consultancy Trail of Bits wrote in a blog post last year, "trying to make a living as a programmer participating in bug bounties is the same as convincing yourself that you’re good enough at Texas Hold ‘Em to quit your job."
UPDATE, Oct. 9, 10:07 a.m. ET: On Thursday evening, an Apple spokesperson sent a statement commenting on the researchers’ findings.
“As soon as the researchers alerted us to the issues they detail in their report, we immediately fixed the vulnerabilities and took steps to prevent future issues of this kind,” the spokesperson said. “Based on our logs, the researchers were the first to discover the vulnerabilities so we feel confident no user data was misused. We value our collaboration with security researchers to help keep our users safe and have credited the team for their assistance and will reward them from the Apple Security Bounty program.”