Critics say Apple’s reverse hacker program is skewed so 'house always wins'

Apple is facing criticism for its bug bounty program that critics say gives the tech giant an unfair advantage when negotiating payouts to "ethical hackers," according to a Sept. 9 Washington Post report.

An ethical hacker is a cybersecurity researcher who looks for vulnerabilities in a system but doesn't have malicious intent. For five years, Apple has encouraged these hackers to break into its services, offering up to $1 million to any hacker that exposes serious security flaws.

Seven things to know:

1. Some people familiar with the program have expressed concerns that the tech giant fixes the bugs too slowly and does not pay hackers the bounty they're promised. Program critics told the Post that Apple's handling of the program has hurt the company and created a blind spot in security, according to the report.
   
   
2. "It’s a bug bounty program where the house always wins," Katie Moussouris, CEO and founder of Luta Security, told the Post. Ms. Moussouris said that Apple has a bad reputation in the security industry, which will lead to products with security vulnerabilities and higher costs in the future.
   
   
3. Ivan Krstić, head of Apple Security Engineering and Architecture, told the Post that the bounty program "has been a runaway success." He added that Apple has doubled the number of bounties it paid since last year and that it pays higher than the industry average.
   
   
4. Mr. Krstić said Apple paid $3.7 million in 2020, whereas Microsoft paid $13.6 million from July 2020 to June 2021 and Google paid $6.7 million in 2020, according to the report.
   
   
5. Apple offers $100,000 in bounties for attacks that gain unauthorized access to sensitive data. However, some researchers have said they had to fight over what qualifies as "sensitive." One researcher was given $5,000 because Apple didn't consider the exposed data to be sensitive while the researcher said the vulnerability hypothetically could expose other companies' servers.
   
   
6. An anonymous former employee and an anonymous current employee told the Post that Apple has a massive backlog of bugs that it hasn't fixed yet.
   
   
7. Some ethical hackers have chosen to sell the data they uncover to government agencies or companies that sell hacking services. Other ethical hackers may go public with data on the vulnerability, which could put Apple's customers at risk, the Post reported. Hackers who don't take the ethical route can rake in as much as $2 million for iPhone vulnerabilities. For Android phones, exposing vulnerabilities goes for about $2.5 million.