Kaspersky Lab identified serious vulnerabilities in the iPhone, but did not receive anything from Apple under the Apple Security Bounty program. The reward could be up to $1 million.
Payments were denied
Apple refused to pay Kaspersky Lab a reward for vulnerabilities discovered in 2023 in iOS that allowed attackers to embed a spy module on any iPhone, as RTVI found out.
The international tech giant itself announced a program to reward "white hackers" for finding bug bounty vulnerabilities and published information about it on its website. The program was opened to the public in 2019, called the Apple Security Bounty, and promised payments of up to $1 million.
"We found zero-day, zero-click vulnerabilities, passed all the information to Apple, and did a useful job," said Dmitry Galov, head of Kaspersky Lab's Russian research center. "Given how much information we provided them and how proactively we did it — it's not clear why they made such a decision."
Stinginess or frugality?
Apple refused to pay the reward that Kaspersky Lab deserved, even in favor of a charitable organization. Galov said that such a practice exists. The company did not explain the reasons, just referred to internal rules.
One might assume that it is a matter of politics. Thus, the international vulnerability search platform HackerOne did not pay $25 thousand to a Belarusian hacker in 2022. since it is "in the zone of sanctions".
But Apple has done this before. The Washington Post in September 2021 wrote that Apple allows confusion with payments, long delays and does not always pay everything that is due. Cedric Owens, for example, said that he discovered a serious bug that allowed hackers to install malicious software on Mac computers, bypassing the security measures taken. Apple paid $5,000 dollars, or 5% of the amount Owens thought he deserved.
Nicholas Brunner received a commendation from Apple instead of the expected $50 thousand for a serious security error in the location tracking system. The publication also gives other examples.
Kaspersky Lab also suffered from Apple vulnerabilities
This policy creates a bad reputation for Apple and dampens interest in participating in the bug bounty among researchers. This is not to say that Apple does not need them. At the end of 2023, employees of Kaspersky Lab suffered from a hacker attack on iPhone smartphones, which is now denied payments for found vulnerabilities.
The attackers then exploited the well-known "Operation Triangulation" vulnerability, which was present in iOS for at least four years. Apple closed it only in the summer of 2023 with the release of the iOS 16.5.1 build. The flaw was contained in an undocumented hardware feature of the iPhone, which few people knew about outside of Apple and the suppliers of chips for its smartphones, as well as the British company ARM, the developer of the processor architecture of the same name.
The devices were infected with full-featured spyware, which, among other things, transmitted microphone recordings, photos, geolocation and other confidential data to servers controlled by attackers.
Payments were denied
Apple refused to pay Kaspersky Lab a reward for vulnerabilities discovered in 2023 in iOS that allowed attackers to embed a spy module on any iPhone, as RTVI found out.
The international tech giant itself announced a program to reward "white hackers" for finding bug bounty vulnerabilities and published information about it on its website. The program was opened to the public in 2019, called the Apple Security Bounty, and promised payments of up to $1 million.
"We found zero-day, zero-click vulnerabilities, passed all the information to Apple, and did a useful job," said Dmitry Galov, head of Kaspersky Lab's Russian research center. "Given how much information we provided them and how proactively we did it — it's not clear why they made such a decision."
Stinginess or frugality?
Apple refused to pay the reward that Kaspersky Lab deserved, even in favor of a charitable organization. Galov said that such a practice exists. The company did not explain the reasons, just referred to internal rules.
One might assume that it is a matter of politics. Thus, the international vulnerability search platform HackerOne did not pay $25 thousand to a Belarusian hacker in 2022. since it is "in the zone of sanctions".
But Apple has done this before. The Washington Post in September 2021 wrote that Apple allows confusion with payments, long delays and does not always pay everything that is due. Cedric Owens, for example, said that he discovered a serious bug that allowed hackers to install malicious software on Mac computers, bypassing the security measures taken. Apple paid $5,000 dollars, or 5% of the amount Owens thought he deserved.
Nicholas Brunner received a commendation from Apple instead of the expected $50 thousand for a serious security error in the location tracking system. The publication also gives other examples.
Kaspersky Lab also suffered from Apple vulnerabilities
This policy creates a bad reputation for Apple and dampens interest in participating in the bug bounty among researchers. This is not to say that Apple does not need them. At the end of 2023, employees of Kaspersky Lab suffered from a hacker attack on iPhone smartphones, which is now denied payments for found vulnerabilities.
The attackers then exploited the well-known "Operation Triangulation" vulnerability, which was present in iOS for at least four years. Apple closed it only in the summer of 2023 with the release of the iOS 16.5.1 build. The flaw was contained in an undocumented hardware feature of the iPhone, which few people knew about outside of Apple and the suppliers of chips for its smartphones, as well as the British company ARM, the developer of the processor architecture of the same name.
The devices were infected with full-featured spyware, which, among other things, transmitted microphone recordings, photos, geolocation and other confidential data to servers controlled by attackers.
