Apple may be a leading consumer electronics company, but it isn’t making any friends in the security industry and may be leaving users vulnerable.
Like many tech companies, Apple uses bug bounties to encourage white hat hackers — security researchers and ethical hackers — to try to find and report security issues so the company can fix them before they’re exploited in the wild.
Unfortunately, the company is frustrating the very security researchers it depends on, according to The Washington Post. The company has developed a reputation for not always paying researchers what they believe they’re owed and being slow to fix the problems reported to them.
Apple has a well-established reputation for secrecy, but the company is applying that same culture to its dealings with security researchers. Unlike other companies that publicly recognize researchers for their accomplishments, and provide support and resources, Apple remains tight-lipped. The company often doesn’t provide feedback on if or when a bug will be fixed. Worst of all, Apple is typically opaque on how it classifies bugs, meaning researchers have little information or recourse when the company doesn’t pay what the researcher thinks the bug is worth.
In short, Apple’s approach is a recipe for disaster. Some researchers no longer bother notifying Apple of bugs they find, opting to sell them to governments or simply going public without giving Apple time to fix them first.
Ultimately, researchers are concerned Apple’s users will pay the price.