Apple refused to pay bounty to Kaspersky for uncovering vulnerability in ‘Operation Triangulation’

/in


Apple breached PERM rules | Drone shot of Apple Park campus

Kaspersky, the renowned Russian cybersecurity firm, made headlines at this time last year after uncovering an attack chain using four iOS zero-day vulnerabilities to create a zero-click exploit. Kaspersky was able to identify and report one of the vulnerabilities to Apple. However, in a bizarre update, Apple reportedly refuses to pay the security bounty for the firm’s contribution.

9to5Mac Security Bite is exclusively brought to you by Mosyle, the only Apple Unified Platform. Making Apple devices work-ready and enterprise-safe is all we do. Our unique integrated approach to management and security combines state-of-the-art Apple-specific security solutions for fully automated Hardening & Compliance, Next Generation EDR, AI-powered Zero Trust, and exclusive Privilege Management with the most powerful and modern Apple MDM on the market. The result is a totally automated Apple Unified Platform currently trusted by over 45,000 organizations to make millions of Apple devices work-ready with no effort and at an affordable cost. Request your EXTENDED TRIAL today and understand why Mosyle is everything you need to work with Apple.

It is common for big tech companies like Apple to use security bounty programs to encourage researchers and ethical hackers to find and report vulnerabilities to them rather than selling them to malicious actors, often nation-states, who might exploit them.

“We found zero-day, zero-click vulnerabilities, transferred all the information to Apple, and did a useful job,” Dmitry Galov, head of the Russian research center at Kaspersky Lab, told Russian news outlet RTVI. “Essentially, we reported a vulnerability to them, for which they must pay a bug bounty.”

Galov even proposed that Kaspersky donate the bounty to charity, but Apple rejected this, citing internal policies without explanation. It’s not uncommon for research firms to donate bounty payments from large companies to charity. Some perceive it as an extension of their ethical obligation, but it undeniably contributes to a positive reputation within the security community.

“Considering how much information we provided them and how proactively we did…

Source…