A renowned security researcher slammed Apple’s bug bounty program and challenged CEO Tim Cook to donate $2.45 million to charity.
That’s the amount that the researcher, Google’s Ian Beer, said he should have received from reporting iOS bugs to Apple so that the company could patch them. Beer tweeted at Tim Cook during a talk he was giving at the Black Hat security conference in Las Vegas.
According to Business Insider, his presentation was a “technical look” into iOS security. But near the end, he veered into public criticism of Apple and its bug bounty program.
“I don’t think Apple intended to use the bug bounty program as a PR tool, but obviously it’s given them plenty of good PR; these supposedly high prices are frequently quested and, like the million dollar dissident, used as this comfort blanket you can wrap yourself in,” Beer wrote in his slide deck.
Hi @tim_cook, I’ve been working for years to help make iOS more secure. Here’s a list of all the bugs I reported which qualified for your bug bounty since its launch, could you invite me to the program so we can donate this money to @amnesty? pic.twitter.com/VUKj7BaJ4P
— Ian Beer (@i41nbeer) August 8, 2018
He added that the reason for his criticism of Apple is that the company does a “poor job” of patching the security flaws he does discover.
Beer is one of the most high-profile security researchers in the world. He currently works for Google’s Project Zero, a team of security analysts that hunt and publicize zero-day vulnerabilities. Beer and Project Zero have found dozens of such vulnerabilities in Apple’s software.
Apple’s bug bounty program, which was launched back in 2016, pays big money for flaws discovered in its various platforms. But unlike many bug bounty initiatives launched by other tech companies, Apple’s is an invite-only program.
Because he isn’t a part of the bug bounty program, Beer contends that he hasn’t been compensated fairly for his contributions to Apple’s software security.
The researcher said that $2.45 million is what you get when you add up payments for all the Apple bugs he’s discovered and double it to represent the Cupertino tech giant matching the amount for charity.
In his tweet, Beer said that Apple should donate that amount to Amnesty International, an NGO focused on human rights.
On the other hand, it’s worth noting that finding security flaws and vulnerabilities is basically Beer’s day job. He gets a check from Google and Project Zero for discovering and sending those bugs to other technology firms, from Apple to Microsoft.
Business Insider points out that Google hasn’t commented on whether its security employees are allowed to collect bug bounties.
Apple’s security on iOS and its other platforms is notably tight. When exploits are discovered, the company works very quickly to close those loopholes — as seen with the recent proliferation of iPhone hacking tools aimed at law enforcement.
Though, because iPhones are tough to crack, it means that hackers and security researchers can often make a lot more money weaponizing exploits or selling them on the black market that cooperation with the company.