Getty Images/iStockphoto

Burned by Apple, researchers mull selling zero days to brokers

Security researchers have grown frustrated with Apple's lack of communication, ‘silent patching’ of vulnerabilities, denial of bug bounty rewards and other issues.

Mounting frustration with the Apple Security Bounty program could have tangible consequences for the tech giant, as some security researchers said they are considering selling their vulnerability discoveries to zero-day brokers and other third parties.

Since Apple launched its bug bounty program to the public in 2019, several security researchers have criticized the program for a variety of issues. The most visible recent example of this frustration came when researcher Denis Tokarev, who goes by the handle "illusionofchaos," publicly disclosed three apparent zero-day iOS vulnerabilities, along with a scathing critique of Apple's bug bounty program. In a blog post, Tokarev accused Apple of not properly crediting him for finding flaws and criticized the company's communication practices.

Soon after, another researcher known as "impost0r" with the not-for-profit reverse-engineering group Secret Club dropped an apparent macOS vulnerability, along with instructions on how to exploit it.

They are not the first to publicly post zero days after being disgruntled with a vendor. Frustrations with the Apple Security Bounty (ASB) are far from new, but recent events have ignited a new wave of criticism against the tech giant.

Apple Security Bounty
Ivan Krstic, head of security engineering and architecture at Apple, introduced the Apple Security Bounty program at Black Hat 2016 in Las Vegas and said the company would make it a priority to resolve bug reports

Researcher frustrations

Several security researchers who either work or have worked with Apple in the past criticize the company for communication and recognition issues in ASB, and a few expressed a willingness to work with third parties such as zero-day brokers following these frustrations.

Apple Security Bounty began in 2016 as an invite-only bug bounty program for researchers to submit vulnerabilities and exploits to Apple in exchange for monetary rewards. In 2019, zero-day submission became publicly accessible.

According to Apple's website, the maximum payouts for vulnerabilities vary. For anything that enables "unauthorized access to iCloud account data on Apple Servers," the maximum payout is $100,000. On the high end, Apple will pay up to $1 million for a "zero-click remote chain with full kernel execution and persistence, including kernel PAC bypass, on latest shipping hardware."

SearchSecurity spoke with several researchers who have submitted bugs to Apple and described consistent issues with communication.

Tokarev, who publicly released details of three apparent zero days, said in his blog post that Apple did not publicly list or credit the flaws he submitted in its security updates. He told SearchSecurity that his initial reports were "screened by humans and acknowledged within 24 hours," and that Apple apologized and promised it would be remediated.

However, none of the subsequent three security updates acknowledged his submissions.

Tokarev tweeted this week that one of his three supposed three zero-days was fixed in iOS 15.0.2 -- uncredited – and two remained unpatched. In a follow-up Tweet Thursday evening, he said he finally received an email from Apple confirming one of his reported vulnerabilities, and added he will receive credit for the bug in a future security advisory.

Wojciech Reguła, an iOS and macOS security researcher and head of mobile security at infosec consultancy Securing, published his recent experience with ASB last month in a blog post regarding a medium-severity macOS vulnerability that he submitted in June 2020. Regula wrote that Apple fixed the vulnerability in November, assigned a CVE in December, and told him in May that it was not eligible for ASB. He claimed he submitted a re-adjudication in May and was still waiting for a review as of the September blog post.

In direct messages with SearchSecurity, Regula said he was paid for previous Apple bug bounty submissions, but overall "that program is really bad." He cited lack of communication, vulnerability submissions that can take over a year to fix, and months-long waits for bounty decisions.

Another credited bug bounty researcher, who asked to remain anonymous, described similar experiences with Apple. They shared a timeline of a vulnerability submitted last December; the flaw was patched in April, they were credited in May, and as of Friday they have not received a judgment regarding whether the bounty will be paid or, if it is, how much.

"Communication with Apple Product Security has been bad overall. They usually don't give updates until you ask them for an update a couple of times, and sometimes they take a very long time to reply," the bug bounty researcher said. "If you ask questions like 'Have you been able to reproduce my bug?,' they'll probably vaguely reply that, 'We are still investigating and have no new status updates to share at this time.' A lot of researchers have complained that talking to them is like talking to robots."

Shail Patel, a researcher and application security engineer at FormAssembly, said he and research partner Ashish Kunwar have had "some horrible experiences with [Apple's] security team(s)."

"On various occasions, when we reported our findings to Apple, our reports were not acknowledged or triaged for weeks until multiple repeated follow-ups," he said. "Not just that, but when it comes to remediation, many of our high-severity findings were not patched for months." Moreover, he said the duo "never received a single bounty for any of our submissions," despite having vulnerabilities he described as "in-scope and eligible for bounty payouts." He added that, by his estimation, they had not broken nondisclosure agreements or rules of engagement for the submissions described.

TechTarget screenshot
Security researcher Wojciech Reguła posted a timeline of events regarding a recent vulnerability discovery, which Apple patched but deemed ineligible for a bug bounty reward.

Silent patching

Patel also mentioned two instances of "silent patching," which typically involves a vendor fixing a reported bug without disclosing the vulnerability or giving the researcher public recognition.

The first instance for Patel is described in a blog post published earlier this month. In the other, he described an instance where he and Kunwar "exploited an application-level denial of service on [Apple's] sales domain." He claimed Apple told them it was expected behavior, and that at a later time they learned Apple "silently patched that one without any acknowledgments."

I'm not going to hunt on Apple ever again.
Ashish KunwarSecurity researcher

"I'm not going to hunt on Apple ever again," Kunwar said.

Not all Apple researchers have sworn off the ASB. One anonymous researcher, who goes by the Twitter handle "08Tc3wBB," was far more positive of Apple's bug bounty program.

"It has actually been way better than my expectation," he said. "If I find more zero days in the future, reporting to Apple will be my prior choice." 08Tc3wBB mentioned high bounties as well as the freedom to discuss and publish research once a flaw is disclosed.

His communication experiences, however, have varied.

"To put it simply, if Apple reaches out to me first -- it could be that they have questions about a case I submitted, or they saw my tweet and are interested in learning more information -- communication with Apple is easy, and they respond quite fast," 08Tc3wBB said. "In other situations when Apple didn't reach out to me first, it's slow. Several months without hearing anything from them is normal. Some of my side questions have never been answered."

Impost0r said his experience with ASB "pales" in comparison with other vendors with which he's worked.

"I'd say that Apple has left the worst taste in my mouth of them all," he said. "Does that mean they're the worst to work with? Not necessarily, but I feel I got burned bad with [Apple], whereas the [other] vendors have had at least the common courtesy of replying."

Impost0r also called Apple "insanely slow on the reply."

Problematic bug bounty programs don't stop with Apple. John Jackson, a penetration tester at Trustwave's SpiderLabs and independent researcher, tweeted in late September that he would no longer work with bug bounty programs, and would instead sell exploits through legal means.

"I've had issues with programs understanding the impact of vulnerabilities, I've had payments lowered, I've had program managers straight up stop responding to tickets and, most importantly, bug bounty platforms have facilitated this shoddy behavior," he said. Though he did not specify which programs, he mentioned an experience with Ford and HackerOne in an Oct. 1 Twitter thread.

Jackson said has not submitted vulnerabilities to Apple because "I'm smart enough to not research on Apple."

When Apple first launched ASB as a private, invite-only program at Black Hat Conference 2016, researchers applauded the news. "We are going to make it a top priority to resolve these confirmed issues as quickly as possible," said Ivan Krstic, head of security engineering and architecture at Apple, during the event.

But researchers like Regula and Patel say the issues with Apple's bug bounty program have gradually gotten worse. Tokarev said patience with the ASB program has thinned over time.

"Now there is a public disappointment in ASB, so when some researcher sees that a number of people weren't credited or paid, they might be more aware of the fact that such things could happen to them, too, so they start to have lower expectations and lower tolerance,” he said. “And in the end, they would go public sooner if Apple chooses to ignore them."

In an email, an Apple spokesperson said the company is working to improve its response times, further improve communication and introduce new rewards for researchers.

"Apple Security Bounty publicly launched in 2019 with the largest payouts ever offered in the industry, including the world's first $1 million bounty. Since then, Apple Security Bounty has grown the total rewards paid to researchers far faster than any other program in the industry's history," the statement read.

"We've already paid out millions of dollars this year, and issued nearly double the number of researcher rewards compared to all of 2020, all while leading the industry in average payouts. We are working hard to scale the program during its dramatic growth, and we will continue to offer top rewards to security researchers working with us side by side to protect our users and their data on more than a billion Apple devices around the world."

Apple has not responded to requests for more insight into its payout figures as well as the methodology used to determine how its payouts compare to other bug bounty programs.

Researchers mull selling zero days

When researchers discover new vulnerabilities, they can report them to vendors directly or they can submit them to a number of bug bounty platforms, such as HackerOne, Bugcrowd or Zero Day Initiative (ZDI). Or they can sell the information to a third party.

What constitutes a third party can vary greatly. In more ethically gray territory, there are a number of "zero-day brokers" like Zerodium that will buy and sell exploits, as well as online marketplaces like 0Day Today. And of course, a researcher could also choose to sell directly to a more malicious party like a threat actor.

A potential issue with zero-day brokers and marketplaces is that there is no guarantee on who the buyer will be or what the buyer plans to do with the exploits. For example, the buyer could be a nation-state or a spyware vendor such as the NSO Group. On the flip side, zero-day brokers can pay significantly more than most vendors.

Despite the launch and expansion of the Apple Security Bounty, the market for Apple zero days appears to have surged in recent years. Last May, Zerodium tweeted that it would temporarily stop accepting most Apple submissions due to a "high number of submissions." Zerodium CEO Chaouki Bekrar slammed iOS security in a follow-up tweet.

Some iOS exploits have reportedly sold for millions of dollars. HackerOne CTO Alex Rice acknowledged that bug bounty programs won't be on par financially with a zero-day broker or buyers on the black market, but he added that it's up to programs to create a positive enough experience to balance that fact out for well-intentioned researchers.

"It's challenging. There are absolutely programs out there that are well run and competitive [with brokers and the black market], but they'll never be there on a dollar-for-dollar basis. And I think that's an important thing to recognize, that they should be competitive for folks who care about the holistic part of the part of the experience," Rice said. "The question is, is the experience pleasant enough and seamless enough? Where you're able to balance all risks associated with that vulnerability to make the right call for you as an individual researcher?"

08Tc3wBB said he has sold to both Zerodium and ZDI in the past, and that there are pros and cons to working with them.

"Zerodium, or the 'grey market,' has a much higher requirement for exploit quality and completeness," he said. "The best bet for a partial exploit chain or privacy leak bugs is a 'white hat' vulnerability acquisition program such as Pwn events, ZDI and ASB. They all are going to report to the vendor (Apple) at the end."

ZDI and Zerodium have more restrictive disclosure policies than Apple, 08Tc3wBB said, and in his experience, Apple pays significantly more for zero days than ZDI.

While he hasn't done it himself, Regula said he knows people who have sold vulnerabilities out of frustration with Apple.

"Some of my friends already started selling their bugs because of their bad experience with the ASB," he said. "I'm 100% sure that if the ASB was researcher-friendly they would report their issues to Apple. I’d like to report my vulnerabilities directly to Apple, but I'm getting frustrated because of the ASB."

Security researchers Kunwar and Patel said they would be open to selling zero-days to third parties.

I am strongly considering selling exploits to zero-day parties henceforth. This gives me a certainty that at least someone is considering it and that I will be compensated for my time and efforts.
Shail PatelSecurity researcher

"I am strongly considering selling exploits to zero-day parties henceforth," Patel said. "This gives me a certainty that at least someone is considering it and that I will be compensated for my time and efforts."

Tokarev said he considers himself more of a developer than a security researcher, and that he hasn't considered selling to a third-party like Zerodium. To date, he has not been paid for a submitted zero-day. While he would consider selling a vulnerability to a third party under the right circumstances, he stressed that he has no desire to sell his research to "any kind of unreputable entities."

An ongoing problem

Katie Moussouris, founder and CEO of Luta Security as well as a pioneer in vulnerability research and disclosure, said the infosec community's frustration with vendors over bug reporting and payments is not new.

But even though this type of discourse isn't new, this new wave is "very much indicative of the overall temperature in the water in this ecosystem," she said.

One issue Apple faces is that it focuses too much on monetary rewards and not enough on researcher outreach and the "human element," Moussouris said.

"They need to take a look at what are their true goals, because the incentives they've created are only monetary, and that is not getting them the security results they want," she said.

The mounting frustration with Apple and the ASB program coincides with an alarming number of zero-day vulnerabilities disclosed by the vendor this year -- 17 as of mid-October. In addition, there's growing concern in the infosec community about how spyware and offensive security firms like NSO Group are potentially gobbling up high-value zero days and exploits for malicious purposes.

A key issue with bug bounty programs as a whole is that there is "no neutral hacker support" to advocate for researchers, Jackson said. Vendors are beholden to their own interests, and bug bounty platforms to their clients.

Jackson, who said he will not work with bug bounty programs in the future and will instead sell to third parties through legal means, said he isn't concerned that this approach could land exploits in the wrong hands.

"Am I concerned? Well, I guess that depends. Are companies doing their part to pay hackers for helping? I don't think anyone would sell zero days if affected companies actually paid their hackers a reasonable amount," Jackson said. "I'm not worried. The people that should be worried are the companies consistently turning their backs on hackers trying to do the right thing."

Alexander Culafi is a writer, journalist and podcaster based in Boston.

Dig Deeper on Risk management