Why are bug bounties failing for Apple?

At the prices they are offering, a lot of bugs in their software are going undetected.  Yet the company has the funds to pay more, and you might think for Coasean reasons the value to Apple of maintaining the franchise is pretty high.  So why don’t they pay more?  From Russell Brandom, this may be the reason:

If Apple really did put its enormous cash reserves behind catching every bug, the result might have unintended consequences for its own security workforce. Building and deploying patches is hard work, every bit as delicate and creative as finding vulnerabilities. Companies need dedicated teams to do that work — but with skyrocketing prices for iOS vulnerabilities, why not put in a few months to find an exploit, turn it in for the bounty, and then spend the rest of the year working on your tan? “If Apple or other defense bounties tried to outbid or even match offense bug prices, they may lose the employees they need most to fix the issues,” Moussouris says.

The article is of interest more generally.

Comments

Comments for this post are closed