Apple’s decision to offer a $1m bug bounty has been criticized as potentially creating collusion opportunities and perverse incentives.
According to The Verge, Apple announced that it has expanded its existing bug bounty program to include macOS, tvOS, watchOS and iCloud. It will include rewards of up to $1m for a zero-click, full-chain kernel-code-execution attack.
Previously a maximum $200,000 payout, the $1m payout will be for iOS vulnerabilities that let attackers control a phone without any user interaction.
Another $500,000 will be given to those who can find a “network attack requiring no user interaction,” reported Forbes.
Speaking to Infosecurity, Luta Security CEO Katie Moussouris said that she was concerned about raising it to this level “as it will probably have some unintended perverse incentive consequences,” because she said that this “does nothing to compete with the offense market.”
Moussouris argued it also may also produce collusion with internal employees. Thirdly, she was concerned that this “may eventually cannibalize Apple's own hiring policy and its career retention pipeline” as if there are quality assurance engineers who feel that this is their only chance to earn big, having earned enough to know enough about the architecture. “It would be a good investment for them; when else would you get a windfall like that?”
She said that “perverse incentives in the offense and defense market have to be examined very carefully because this is a price hike that is unsustainable. While this may produce new exploits and new talent willing to work for defense, the overall impacts on the bug market are yet to be seen and I am worried.”
The original bug bounties were $500 from 1995 to 2010, with 2010 seeing the first Google bug bounties, which started at $1,337 and which led to Mozilla raising its bug bounty to $3,000. Prices were then raised across the board.
“People thought the more, the merrier; this is what every company should do – keep raising the prices. But if you think about it, there is a logical limit which defensive prices cannot exceed because if you exceed them you start to see perverse incentives emerge,” Moussouris said. “I think the offense market, also known as the black market, will very quickly adjust.”