Apple Needs a Bug Bounty Program

Illustration for article titled Apple Needs a Bug Bounty Program

Twitter just launched a bug bounty program. That's a smart move, and it's a move Apple should watch. Any big tech company that offers software should also offer a bug bounty program to protect it. Now is the perfect time to understand the value of giving hackers a reason to help.


The creator of iBrute, possibly the tool used to steal those celebrity nude photos, told Forbes he would've forewarned Apple for proper compensation. While we still don't know exactly how hackers got their hands on those photos, Apple hasn't denied that iBrute tool was used. Either way, there was an exploit out there that made the kind of targeted attack that Apple believes occurred in the celebrity photo theft possible. Someone knew about it, but they had no incentive to warn the company.

Why not? Facebook, Google, Microsoft, and now Twitter have all realized the value of bounty programs, as have many other small organizations—these programs are smart for startups as well as big players. Startups often experience growth that outpaces their security capabilities, and leaning on outsiders can help stave off disaster.

Secret, for instance, was able to patch a pretty serious vulnerability before anyone was able to exploit it because of its bug bounty program. Meanwhile, startups who dismiss outside help, like Snapchat, have experienced big security breaches—in part because of its hostile attitude towards its hackers.

Bigger companies have it tougher. When you're huge and handling millions of people's data, it's harder to admit that maybe you aren't doing it perfectly. Just pretending everything is air tight can seem like the better option. Until it isn't. To be fair, Apple isn't completely dismissive: It gave a hacker an internship in the past, and does provide a page for developers to report bugs. But it's not enough.

Bug bounties aren't a silver bullet; companies can't just offer a fat reward and call it a day. Anticipating underlying vulnerabilities is crucial, but no software will ever be entirely secure, and pretending otherwise is foolhardy. The reality is, whoever stole those nude pictures probably would've figured out a way to get them whether or not iBrute was around (they may not have even used that particular tool, there are plenty of other options). But while a company can't completely eradicate the potential for bugs, it can control is how it cooperates with the people that find the bugs.

I asked Apple why they didn't have a bug bounty program, and I'm still awaiting a response. I suspect it's likely related to the company's notoriously privacy-minded culture. It may also be for a reason laid out by information security expert Kenneth van Wyk: "I can't help but think that the bug finders are in essence holding a metaphorical gun to the heads of the software companies by saying, 'pay up or I'm going to publish this vulnerability to the world,'" he wrote in Computerworld. The way Wyk sees bounties, and the way Apple may see it, is akin to a kidnapper demanding ransom.


The thing is, people are going to find bugs. And yes, bug bounty programs do acknowledge that those people have leverage over a company. There will be always people who want to exploit security vulnerabilities for their own purposes, but some people would settle for a little recognition (and cash) over the trouble of orchestrating a massive leak of scandalous photos. And when companies change the often insular and hubristic attitude some tech companies have towards security, that can happen. Facebook, for instance, has given 687 bug bounty awards since it started its program in 2012. That's a lot of help, recognized. And who knows how many disasters averted.

Lead image: Guilherme Tavares/Flickr




It really seems like a no-brainer. Even if a hacker comes to you with higher demands and says "There's a bug that will allow me to..." without specifying exactly what the bug is, it's at least an alert that a potential bug exists and you should be double-checking your work. The alternative seems to be living in blissful ignorance until you have a very public security breach.