{"id":42783,"date":"2021-09-10T04:20:27","date_gmt":"2021-09-10T04:20:27","guid":{"rendered":"https:\/\/packetstormsecurity.com\/news\/view\/32627\/Infosec-Researchers-Say-Apples-Bug-Bounty-Program-Needs-Work.html"},"modified":"2021-09-10T04:20:27","modified_gmt":"2021-09-10T04:20:27","slug":"infosec-researchers-say-apples-bug-bounty-program-needs-work","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/infosec-researchers-say-apples-bug-bounty-program-needs-work\/","title":{"rendered":"Infosec Researchers Say Apple&#8217;s Bug Bounty Program Needs Work"},"content":{"rendered":"<figure class=\"intro-image intro-left\"><img decoding=\"async\" src=\"https:\/\/cdn.arstechnica.net\/wp-content\/uploads\/2021\/09\/GettyImages-163855174-800x600.jpg\" alt=\"Cartoon worm in a cartoon apple.\"><figcaption class=\"caption\">\n<div class=\"caption-text\"><a href=\"https:\/\/cdn.arstechnica.net\/wp-content\/uploads\/2021\/09\/GettyImages-163855174.jpg\" class=\"enlarge-link\" data-height=\"3000\" data-width=\"4000\">Enlarge<\/a> <span class=\"sep\">\/<\/span> If you don&#8217;t maintain good relationships with bug reporters, you may not get to control the disclosure timeline.<\/div>\n<\/figcaption><\/figure>\n<aside id=\"social-left\" class=\"social-left\" aria-label=\"Read the comments or share this article\"><a title=\"33 posters participating\" class=\"comment-count icon-comment-bubble-down\" href=\"https:\/\/arstechnica.com\/information-technology\/2021\/09\/infosec-researchers-say-apples-bug-bounty-program-needs-work\/?comments=1\"> <\/p>\n<h4 class=\"comment-count-before\">reader comments<\/h4>\n<p> <span class=\"comment-count-number\">41<\/span> <span class=\"visually-hidden\"> with 33 posters participating<\/span> <\/a> <\/p>\n<div class=\"share-links\">\n<h4>Share this story<\/h4>\n<\/p><\/div>\n<\/aside>\n<p><!-- cache miss 278:single\/related:5f63814e9f5539df80507539759e8d5d --><!-- empty --><\/p>\n<p>The Washington Post <a href=\"https:\/\/www.washingtonpost.com\/technology\/2021\/09\/09\/apple-bug-bounty\/\">reported<\/a>&nbsp;earlier today that Apple&#8217;s relationship with third-party security researchers could use some additional fine tuning. Specifically, Apple&#8217;s &#8220;bug bounty&#8221; program\u2014a way companies encourage ethical security researchers to find and responsibly disclose security problems with its products\u2014appears less researcher-friendly and slower to pay than the industry standard.<\/p>\n<p>The Post says it interviewed more than two dozen security researchers who contrasted Apple&#8217;s bug bounty program with similar programs at competitors including Facebook, Microsoft, and Google. Those researchers allege serious communication issues and a general lack of trust between Apple and the infosec community its bounties are supposed to be enticing\u2014&#8221;a bug bounty program where the house always wins,&#8221; according to Luta Security CEO Katie Moussouris.<\/p>\n<h2>Poor communication and unpaid bounties<\/h2>\n<p>Software engineer Tian Zhang appears to be a perfect example of Moussouris&#8217; anecdote. In 2017, Zhang reported a major security flaw in HomeKit, Apple&#8217;s home automation platform. Essentially, the flaw allowed anyone with an Apple Watch to <a href=\"https:\/\/www.engadget.com\/2017-12-21-apple-ignored-a-major-homekit-security-flaw-for-six-weeks.html\">take over<\/a> any HomeKit-managed accessories physically near them\u2014including smart locks, as well as security cameras and lights.<\/p>\n<p>After a month of repeated emails to Apple security with no response, Zhang enlisted Apple news site 9to5Mac to reach out to Apple PR\u2014Zhang <a href=\"https:\/\/www.engadget.com\/2017-12-21-apple-ignored-a-major-homekit-security-flaw-for-six-weeks.html\">described<\/a>&nbsp;them as &#8220;much more responsive&#8221; than Apple Product Security had been. Two weeks later\u2014six weeks after initially reporting the vulnerability\u2014the issue was finally remedied in iOS 11.2.1.<\/p>\n<p>According to Zhang, his second and third bug reports were again ignored by Product Security, without bounties paid or credit given\u2014but the bugs themselves were fixed. Zhang&#8217;s Apple Developer Program membership was revoked after submission of the third bug.<\/p>\n<aside class=\"ad_wrapper\" aria-label=\"In Content advertisement\"> <span class=\"ad_notice\">Advertisement <\/span> <\/aside>\n<figure class=\"image shortcode-img center full\"><img loading=\"lazy\" decoding=\"async\" alt=\"Despite granting &quot;in-use only&quot; permissions to the app, Brunner discovered his app actually received 24\/7 background permission.\" src=\"https:\/\/cdn.arstechnica.net\/wp-content\/uploads\/2021\/09\/brunner-app.gif\" width=\"375\" height=\"667\"><figcaption class=\"caption\">\n<div class=\"caption-text\">Despite granting &#8220;in-use only&#8221; permissions to the app, Brunner discovered his app actually received 24\/7 background permission.<\/div>\n<\/figcaption><\/figure>\n<p>Swiss app developer Nicolas Brunner had a similarly frustrating experience in 2020. While developing an app for Swiss Federal Roadways, Brunner accidentally <a href=\"https:\/\/medium.com\/@nicolas.brunner?p=fe9a57a81943\">discovered<\/a>&nbsp;a serious iOS location-tracking vulnerability that would allow an iOS app to track users without their consent. Specifically, granting an app permission to access location data only while foregrounded actually granted permanent, 24\/7 tracking access to the app.<\/p>\n<p>Brunner reported the bug to Apple, which eventually fixed it in iOS 14.0 and even credited Brunner in the <a href=\"https:\/\/support.apple.com\/en-gb\/HT211850\">security release notes<\/a>. But Apple dithered for seven months about paying him a bounty, eventually notifying him that &#8220;the reported issue and your proof-of-concept do not demonstrate the categories listed&#8221; for bounty <a href=\"https:\/\/developer.apple.com\/security-bounty\/payouts\/\">payout<\/a>. According to Brunner, Apple ceased responding to his emails after that notification, despite requests for clarification.<\/p>\n<p>According to Apple&#8217;s own payouts page, Brunner&#8217;s bug discovery would appear to easily qualify for a $25,000 or even $50,000 bounty under the category &#8220;User-Installed App: Unauthorized Access to Sensitive Data.&#8221; That category specifically references &#8220;sensitive data normally protected by a <a href=\"https:\/\/support.apple.com\/en-gb\/guide\/security\/secddd1d86a6\/web\">TCC<\/a> prompt,&#8221; and the payouts page later defines &#8220;sensitive data&#8221; to include &#8220;real-time or historical precise location data\u2014or similar user data\u2014that would normally be prevented by the system.&#8221;<\/p>\n<p>When asked to comment on Brunner&#8217;s case, Apple Head of Security Engineering and Architecture Ivan Krsti\u0107 told The Washington Post that, &#8220;when we make mistakes, we work hard to correct them quickly, and learn from them to rapidly improve the program.&#8221;<\/p>\n<h2>An unfriendly program<\/h2>\n<figure class=\"image shortcode-img center large\"><a href=\"https:\/\/cdn.arstechnica.net\/wp-content\/uploads\/2021\/09\/zerodium-payouts.png\" class=\"enlarge\" data-height=\"630\" data-width=\"876\" alt=\"Vulnerability broker Zerodium offers substantial bounties for zero-day bugs, which it then resells to threat actors like Israel's NSO Group.\"><img loading=\"lazy\" decoding=\"async\" alt=\"Vulnerability broker Zerodium offers substantial bounties for zero-day bugs, which it then resells to threat actors like Israel's NSO Group.\" src=\"https:\/\/cdn.arstechnica.net\/wp-content\/uploads\/2021\/09\/zerodium-payouts-640x460.png\" width=\"640\" height=\"460\" srcset=\"https:\/\/cdn.arstechnica.net\/wp-content\/uploads\/2021\/09\/zerodium-payouts.png 2x\"><\/a><figcaption class=\"caption\">\n<div class=\"caption-text\"><a href=\"https:\/\/cdn.arstechnica.net\/wp-content\/uploads\/2021\/09\/zerodium-payouts.png\" class=\"enlarge-link\" data-height=\"630\" data-width=\"876\">Enlarge<\/a> <span class=\"sep\">\/<\/span> Vulnerability broker Zerodium offers substantial bounties for zero-day bugs, which it then resells to threat actors like Israel&#8217;s NSO Group.<\/div>\n<\/figcaption><\/figure>\n<p>Moussouris\u2014who helped create bug-bounty programs for both Microsoft and the US Department of Defense\u2014told the Post that &#8220;you&nbsp;have to have a healthy internal bug fixing mechanism before you can attempt to have a healthy bug vulnerability disclosure program.&#8221; Moussouris went on to ask, &#8220;What do you expect is going to happen if [researchers] report a bug that you already knew about but hadn&#8217;t fixed? Or if they report something that takes you 500 days to fix?&#8221;<\/p>\n<aside class=\"ad_wrapper\" aria-label=\"In Content advertisement\"> <span class=\"ad_notice\">Advertisement <\/span> <\/aside>\n<p> One such option is bypassing a relatively unfriendly bug-bounty program run by the vendor in question and <a href=\"https:\/\/zerodium.com\/program.html\">selling<\/a> the vulnerability to gray-market brokers instead\u2014where access to them can in turn be purchased by threat actors like Israel&#8217;s <a href=\"https:\/\/arstechnica.com\/gadgets\/2021\/07\/clickless-exploits-from-israeli-firm-hacked-activists-fully-updated-iphones\/\">NSO Group<\/a>. Zerodium offers bounties of up to $2 million for the most severe iOS vulnerabilities\u2014with less-severe vulnerabilities like Brunner&#8217;s location-exposure bug in its &#8220;up to $100,000&#8221; category.<\/p>\n<p>Former NSA research scientist Dave Aitel told the Post that Apple&#8217;s closed, secretive approach to dealing with security researchers hampers its overall product security. &#8220;Having a good relationship with the security community gives you a strategic vision that goes beyond your product cycle,&#8221; Aitel said, adding, &#8220;hiring a bunch of smart people only gets you so far.&#8221;<\/p>\n<p><a href=\"https:\/\/www.bugcrowd.com\/\">Bugcrowd<\/a>&nbsp;founder Casey Ellis says that companies should pay researchers when reported bugs lead to code changes closing a vulnerability, even if\u2014as Apple rather confusingly told Brunner about his location bug\u2014the reported bug doesn&#8217;t meet the company&#8217;s own strict interpretation of its guidelines. &#8220;The more good faith that goes on, the more productive bounty programs are going to be,&#8221; he said.<\/p>\n<h2>A runaway success?<\/h2>\n<p>Apple&#8217;s own description of its bug bounty program is decidedly rosier than the incidents described above\u2014and reactions of the broader security community\u2014would seem to suggest.<\/p>\n<p>Apple Security Engineering and Architecture head Ivan Krsti\u0107 told the Washington Post that &#8220;the Apple Security Bounty program has been a runaway success.&#8221; According to&nbsp;Krsti\u0107, the company has nearly doubled its annual bug bounty payout and leads the industry in average bounty amount.<\/p>\n<p>&#8220;We are working hard to scale the program during its dramatic growth, and we will continue to offer top rewards to security researchers,&#8221;&nbsp;Krsti\u0107 continued. But despite Apple&#8217;s year-on-year increase in total bounty payouts, the company lags far behind rivals Microsoft and Google\u2014which paid out totals of $13.6 million and $6.7 million, respectively, in their most recent annual reports, as compared to Apple&#8217;s $3.7 million.<\/p>\n<p> READ MORE <a href=\"https:\/\/packetstormsecurity.com\/news\/view\/32627\/Infosec-Researchers-Say-Apples-Bug-Bounty-Program-Needs-Work.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>READ MORE HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":42784,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[60],"tags":[8675],"class_list":["post-42783","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-packet-storm","tag-headlinehackerphoneflawapple"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.5 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Infosec Researchers Say Apple&#039;s Bug Bounty Program Needs Work 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/infosec-researchers-say-apples-bug-bounty-program-needs-work\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Infosec Researchers Say Apple&#039;s Bug Bounty Program Needs Work 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/infosec-researchers-say-apples-bug-bounty-program-needs-work\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2021-09-10T04:20:27+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/09\/infosec-researchers-say-apples-bug-bounty-program-needs-work.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"760\" \/>\n\t<meta property=\"og:image:height\" content=\"345\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/infosec-researchers-say-apples-bug-bounty-program-needs-work\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/infosec-researchers-say-apples-bug-bounty-program-needs-work\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Infosec Researchers Say Apple&#8217;s Bug Bounty Program Needs Work\",\"datePublished\":\"2021-09-10T04:20:27+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/infosec-researchers-say-apples-bug-bounty-program-needs-work\\\/\"},\"wordCount\":1018,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/infosec-researchers-say-apples-bug-bounty-program-needs-work\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/09\\\/infosec-researchers-say-apples-bug-bounty-program-needs-work.jpg\",\"keywords\":[\"headline,hacker,phone,flaw,apple\"],\"articleSection\":[\"Packet Storm\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/infosec-researchers-say-apples-bug-bounty-program-needs-work\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/infosec-researchers-say-apples-bug-bounty-program-needs-work\\\/\",\"name\":\"Infosec Researchers Say Apple's Bug Bounty Program Needs Work 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/infosec-researchers-say-apples-bug-bounty-program-needs-work\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/infosec-researchers-say-apples-bug-bounty-program-needs-work\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/09\\\/infosec-researchers-say-apples-bug-bounty-program-needs-work.jpg\",\"datePublished\":\"2021-09-10T04:20:27+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/infosec-researchers-say-apples-bug-bounty-program-needs-work\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/infosec-researchers-say-apples-bug-bounty-program-needs-work\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/infosec-researchers-say-apples-bug-bounty-program-needs-work\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/09\\\/infosec-researchers-say-apples-bug-bounty-program-needs-work.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/09\\\/infosec-researchers-say-apples-bug-bounty-program-needs-work.jpg\",\"width\":760,\"height\":345},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/infosec-researchers-say-apples-bug-bounty-program-needs-work\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"headline,hacker,phone,flaw,apple\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/headlinehackerphoneflawapple\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Infosec Researchers Say Apple&#8217;s Bug Bounty Program Needs Work\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Infosec Researchers Say Apple's Bug Bounty Program Needs Work 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/infosec-researchers-say-apples-bug-bounty-program-needs-work\/","og_locale":"en_US","og_type":"article","og_title":"Infosec Researchers Say Apple's Bug Bounty Program Needs Work 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/infosec-researchers-say-apples-bug-bounty-program-needs-work\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2021-09-10T04:20:27+00:00","og_image":[{"width":760,"height":345,"url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/09\/infosec-researchers-say-apples-bug-bounty-program-needs-work.jpg","type":"image\/jpeg"}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/infosec-researchers-say-apples-bug-bounty-program-needs-work\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/infosec-researchers-say-apples-bug-bounty-program-needs-work\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Infosec Researchers Say Apple&#8217;s Bug Bounty Program Needs Work","datePublished":"2021-09-10T04:20:27+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/infosec-researchers-say-apples-bug-bounty-program-needs-work\/"},"wordCount":1018,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/infosec-researchers-say-apples-bug-bounty-program-needs-work\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/09\/infosec-researchers-say-apples-bug-bounty-program-needs-work.jpg","keywords":["headline,hacker,phone,flaw,apple"],"articleSection":["Packet Storm"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/infosec-researchers-say-apples-bug-bounty-program-needs-work\/","url":"https:\/\/www.threatshub.org\/blog\/infosec-researchers-say-apples-bug-bounty-program-needs-work\/","name":"Infosec Researchers Say Apple's Bug Bounty Program Needs Work 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/infosec-researchers-say-apples-bug-bounty-program-needs-work\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/infosec-researchers-say-apples-bug-bounty-program-needs-work\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/09\/infosec-researchers-say-apples-bug-bounty-program-needs-work.jpg","datePublished":"2021-09-10T04:20:27+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/infosec-researchers-say-apples-bug-bounty-program-needs-work\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/infosec-researchers-say-apples-bug-bounty-program-needs-work\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/infosec-researchers-say-apples-bug-bounty-program-needs-work\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/09\/infosec-researchers-say-apples-bug-bounty-program-needs-work.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/09\/infosec-researchers-say-apples-bug-bounty-program-needs-work.jpg","width":760,"height":345},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/infosec-researchers-say-apples-bug-bounty-program-needs-work\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"headline,hacker,phone,flaw,apple","item":"https:\/\/www.threatshub.org\/blog\/tag\/headlinehackerphoneflawapple\/"},{"@type":"ListItem","position":3,"name":"Infosec Researchers Say Apple&#8217;s Bug Bounty Program Needs Work"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/42783","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=42783"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/42783\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/42784"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=42783"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=42783"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=42783"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}