According to recent statements, Apple should donate almost $2.5 million to charity just for the bugs he has reported in iOS and macOS. Doesn’t Apple reward bugs found by third parties? Apparently not enough.
Google’s Project Zero is the department for finding security holes in third-party products and services . They do not do this to attack these companies, but to warn them of these bugs so that they can correct them in a maximum of 90 days before they are made public. With this, they seek to improve security on the Internet. Reporting security bugs to other companies is a common practice, and there is a “mutual agreement” to give the company 90 days to correct it before making it public.
Ian Beer has found a lot of security holes in Apple’s operating systems, always reporting them and giving Apple 90 days to fix them. But in a recent statement, he warns that what Apple pays for the discovery of bugs is less than what other companies pay . He says that for all he has reported, Apple should have paid him about 2.45 million dollars.
This is not the first time the Apple reward program has been mentioned. The company’s had it open for about two years, but you only get in by invitation. The maximum payment Apple offers for each bug found is 200 thousand dollars per vulnerability . Although it may seem a lot, it is relatively little considering what other companies of Apple’s caliber offer.
Consequently, many researchers decide to offer these vulnerabilities not to Apple but to other companies . For example, some time ago we saw a company offering to pay up to 3 million dollars for exploits in iOS and macOS. Of course, what these companies do with these vulnerabilities is probably not as beneficial to the user as what Apple could do with them.