A Major Evolution of Apple Security Bounty

Posted3 months agoActive3 months ago

jacopoj

84 points

10 comments

security.apple.comTechstory

calmmixed

Debate

60/100

Apple Security BountyVulnerability DisclosureBug Bounty Programs

Key topics

Apple Security Bounty

Vulnerability Disclosure

Bug Bounty Programs

Apple has announced a major evolution of its Security Bounty program, which has sparked a mixed reaction from the security research community, with some appreciating the changes and others criticizing Apple's handling of past reports.

Snapshot generated from the HN discussion

Discussion Activity

Light discussion

First comment

Peak period

4-6h

Avg / period

Key moments

01Story posted
Oct 10, 2025 at 5:39 AM EDT
3 months ago
Step 01
02First comment
Oct 10, 2025 at 7:05 AM EDT
1h after posting
Step 02
03Peak activity
5 comments in 4-6h
Hottest window of the conversation
Step 03
04Latest activity
Oct 11, 2025 at 2:10 AM EDT
3 months ago
Step 04

Generating AI Summary...

Analyzing up to 500 comments to identify key contributors and discussion patterns

Discussion (10 comments)

Showing 10 comments

nwellnhof

3 months ago

1 reply

Paying $1,000 for low-impact issues is a nice move which might make me contribute to their program again.

lapcat

3 months ago

2 replies

Don't bother. They'll find an excuse to pay $0. This is all at Apple's inscrutable discretion.

agos

3 months ago

1 reply

aren't all bug bounty program at the sponsor's inscrutable discretion?

lapcat

3 months ago

Yes, but Apple tends to be more inscrutable than anyone else.

nwellnhof

3 months ago

At least it seems that they won't assign CVE IDs and credit researchers without compensating them at all (which is what happened when I reported CVE-2024-27811, for example):

> We want those researchers to have an encouraging experience — so in addition to CVE assignment and researcher credit as before, we will now also reward such reports with a $1,000 award.

lapcat

3 months ago

2 replies

A "major evolution" would be for Apple to have informative two-way conversations with security researchers and to stop stiffing them for reports.

I submitted a few macOS reports to the program, but Apple just sat on them forever, sometimes years, until I got frustrated enough to just publicly disclose the bugs. Needless to say, Apple never paid me a dime. For that reason, I don't actively look for macOS bugs anymore, and if I happen to find anything by accident, I'll just 0day.

I think that demanding full exploit chains is an excuse to ignore bugs and to discourage researchers from reporting them. What if a full exploit chain exists, but the links of the chain are known by different researchers? The researchers are incentivized to withhold bug reports without the full chain, and meanwhile an attacker who happens to have the full chain won't withhold their attack. Apple is practically making the black market for bugs more valuable.

It's basically the same as Apple demanding a sysdiagnose before they'll even look at a non-security bug report. Typo in the developer documentation? Please attach a sysdiagnose! It's ridiculous.

saurik

3 months ago

1 reply

Yeah: this is all just noise, lies heaped upon lies. At times I've at least felt as if a few of the people involved internally "mean well", despite the company as a whole being evil... but, then I had to realize: their entirely-useless "sort of meaning well" was just causing me to slightly stall on going scorched earth on the entire program, so they were actually just yet another part of the problem. Apple--as a whole, including the people who work there, including the people who feel like they are different--just simply doesn't care about end-user security: they only care about maintaining control.

blackqueeriroh

3 months ago

Companies aren’t evil or good, they’re companies.

People can be evil or good.

commandersaki

3 months ago

I think it's just reacting to the market; with MIE the cost of full chains probably go up significantly, and individual chains are worth less than what it would be when included in a full chain.

Individual chains of course are still eligible for rewards:

> Individual chain components or multiple components that cannot be linked together will remain eligible for rewards, though these are proportionally smaller to match their relative impact.

Edit:

I think those that build a full chain and attempt to sell to the regular posse would rather just take the bug bounty from Apple. There's little information about the 0day market for chains but from what I've seen it is you need to provide long term support and hoard alternative methods when different parts get discovered or break down. With MIE and other mitigations and vigilant scanning of devices, there's more chance exploits and techniques are discovered, patched, and you as VR/ED will only get a small fraction of the contract (like say $8m over a couple of years). (Someone from the 0day industry feel free to correct me.)

commandersaki

3 months ago

Curious how this target flag thing will work. I'm guessing each flag in the OS would be unique and possibly easy to discover. It is just when you submit your exploit/bypass to Apple in their verification environment where the security controls can't be bypassed, if you reveal the right flag they confirm the bounty?

View full discussion on Hacker News

ID: 45536948Type: storyLast synced: 11/20/2025, 1:32:57 PM

Want the full context?

Jump to the original sources

Read the primary article or dive into the live Hacker News thread when you're ready.

Open link View on HN