Burned by Apple, researchers mull selling zero days to brokers

Mounting frustration with the Apple Security Bounty program could have tangible consequences for the tech giant, as some security researchers said they are considering selling their vulnerability discoveries to zero-day brokers and other third parties.

Since Apple launched its bug bounty program to the public in 2019, several security researchers have criticized the program for a variety of issues. The most visible recent example of this frustration came when researcher Denis Tokarev, who goes by the handle “illusionofchaos,” publicly disclosed three apparent zero-day iOS vulnerabilities, along with a scathing critique of Apple’s bug bounty program. In a blog post, Tokarev accused Apple of not properly crediting him for finding flaws and criticized the company’s communication practices.

Soon after, another researcher known as “impost0r” with the not-for-profit reverse-engineering group Secret Club dropped an apparent macOS vulnerability, along with instructions on how to exploit it.

They are not the first to publicly post zero days after being disgruntled with a vendor. Frustrations with the Apple Security Bounty (ASB) are far from new, but recent events have ignited a new wave of criticism against the tech giant.

Researcher frustrations

Several security researchers who either work or have worked with Apple in the past criticize the company for communication and recognition issues in ASB, and a few expressed a willingness to work with third parties such as zero-day brokers following these frustrations.

Apple Security Bounty began in 2016 as an invite-only bug bounty program for researchers to submit vulnerabilities and exploits to Apple in exchange for monetary rewards. In 2019, zero-day submission became publicly accessible.

According to Apple’s website, the maximum payouts for vulnerabilities vary. For anything that enables “unauthorized access to iCloud account data on Apple Servers,” the maximum payout is $100,000. On the high end, Apple will pay up to $1 million for a “zero-click remote chain with full kernel execution and persistence, including kernel PAC bypass, on latest shipping hardware.”

SearchSecurity spoke with several researchers who have submitted bugs to…