A study shows that Apple can pay up to 5x more than Samsung per exposed vulnerability on its bug bounty program. That said, the Cupertino company still faces complaints from researchers, with some saying Apple didn’t give them credit for the zero-day flaw reported.
The study conducted by Atlas VPN shows that Apple pays from $100K to $1 million to researchers who find exploits in their service, while Samsung’s bug bounty program rewards researchers between $200 and $200K for qualified exploits.
Huawei, on the other hand, offers payouts from $200 to $224K for found vulnerabilities in their devices.
Atlas VPN says the data is based on publicly available information on how much the most significant phone and other electronics manufacturing companies pay for found vulnerabilities in their devices.
Although Apple pays better than Samsung or these other companies shown above, its bug bounty program is not controversy-proof. In 2017, researchers complained about low payouts on discoveries. In 2021, Apple hired a new leader to reform its bug bounty program since security researchers felt “fed up” with it.
At the time The Washington Post included a notable story from Tian Zhang, an iOS software engineer, who claimed to have submitted multiple bugs to Apple and never received a payment:
Tian Zhang, an iOS software engineer, first reported a bug to Apple in 2017. After months of waiting for Apple to fix the bug, Zhang lost patience and decided to blog about his discovery. The second time he reported a security flaw, he says Apple fixed it but ignored him. In July, Zhang submitted another bug to Apple that he says was eligible for a reward. The software was quickly fixed, but Zhang didn’t receive a reward. Instead, he was kicked out of the Apple Developer Program. Membership in the program is required to be able to submit apps to the App Store. Apple did not comment on Zhang’s allegations.
A few days after this report, 9to5Mac also published another story about another researcher that shared their experience claiming that Apple didn’t give them credit for one zero-day flaw they reported which was fixed, and that there were three more zero-day vulnerabilities in iOS 15 at the time.
Have you ever submitted a bug or vulnerability to Apple, and if so, did the company reply back? Share your thoughts in the comment section below.
FTC: We use income earning auto affiliate links. More.