Apple bug bounty outbid by private broker, but does that matter?

Only a few days after Apple announced it would pay up to a $200,000 bounty to discover and report new security vulnerabilities in its products, vulnerabilities broker Exodus Intelligence announced it would pay more than twice as much for the same Apple vulnerabilities. 

Immediately, the Exodus announcement garnered headlines, saying it was “stealing Apple’s thunder” and that “some may find it hard to resist a counter-offer of $500k by blackhat company Exodus Intelligence.”

{mosads}In fact, “zero-day” vulnerabilities — security flaws not even the products’ manufacturers are aware of — will nearly always sell for higher sums to brokers that resell them for use in espionage than manufacturers looking to repair them. 

But companies that run bug bounties and researchers who pursue them say it would be a mistake to assume the compensation for turning a bug into its manufacturer is cash in hand. 

“We don’t see ourselves as competing with an Exodus Intelligence for the same bugs,” said Alex Rice, co-founder and Chief Technology officer of HackerOne, a company that runs bug bounty programs for GM, Twitter, Uber and Kaspersky Labs. 

Rice says there a number of reasons researchers don’t sell to the grey — that is, not quite black — market. The most obvious is moral.

To sell to companies like Exodus, “you need to be comfortable with your vulnerability being used as a weapon,” said Rice. Researchers also have to be comfortable with their zero day not being quickly fixed — leaving an open door for the next person who discovers the vulnerability to crawl through.

Even people motivated purely by money are often better served by taking a pay cut to report a vulnerability to a manufacturer. 

“Any market that gets a premium rate requires you sign guarantees of non-disclosure and non-remediation,” said Rice. “If you somehow are OK with the moral requirements, not being able to share your work is fundamental.”

For many of the people who research security vulnerabilities, the bounty is not the primary financial reward. Instead, it is the publicity that a major discovery will draw for a security company or the researcher. 

At the same time, presenting research also has value as both a security community norm and a way to show off talent without committing actual crimes. 

Rice says that the bounty is not the first reason someone goes into research. But it can be the reason a researcher picks a target. 

“The bounty is not meant to encourage people to do the right thing. It is meant to encourage the limited number of people who do security research to pick your product rather than another one,” he said.