Apple Has a Million Dollar Bug Bounty Problem

Details of six new vulnerabilities in Apple’s iOS mobile operating system were made available on Tuesday. Discovered by researchers with Google, several of the security flaws were particularly worrisome because they could potentially let hackers compromise iPhones without making owners aware. Many of the bugs were disclosed months ago, and all but one has already been patched.

While the disclosure of these bugs made for eye-popping headlines, they also betray a deeper issue within Apple’s ecosystem. Specifically, iPhone flaws that require no interaction on the behalf of users, like the ones the Google researchers discovered, would garner large sums if sold on the black market. Apple, meanwhile, pays much less. Is that pay gap a problem?

Natalie Silvanovich and Samuel Groß, two members of Google’s research team dubbed Project Zero, were credited with finding the iOS bugs. Silvanovich tells ZDNet that four out of the six security flaws can be executed automatically simply by sending an iPhone user a specific string of characters on iMessage, and then having the user open the message and view the contents within. The other two iOS bugs let hackers leak data from the iPhone’s memory and read files from a remote device.

While Apple addressed all six of the iOS flaws with the July 22 release of iOS 12.4, one of the vulnerabilities has yet to be fully resolved.

Should Apple pay more for bugs?

According to a Google spokesperson, the company did not receive an award for finding these vulnerabilities. Apple did not respond to Fortune’s requests for comment. Apple has said it pays those who find vulnerabilities up to $200,000 through a program it started in 2016. (A week after Apple launched this bug bounty, a third-party launched its own, doubling the prize money offered by Cupertino.) In comparison, exploit acquisition platform Zerodium rewards security researchers as much as $2 million for bugs similar to what Google has disclosed.

Apple has kept quiet about how much money it has paid out in bug bounties. For example, when it rewarded 14-year-old Grant Thompson for discovering Apple’s FaceTime eavesdropping bug, it said it would pay the Thompson family for the discovery, as well as provide money for Grant’s education, but it didn’t disclose how much it ultimately paid. In other cases, bug finders have kept Apple’s software flaws to themselves because the company is stingy about paying out. The policy has been clearly been a thorn in the side of Apple, a trillion-dollar company.

Or has it? Economics are behind the reason Apple’s payouts aren’t high, says Katie Moussouris, founder and CEO of Luta Security. Moussouris founded Microsoft’s Security Vulnerability Research program in 2013. In advance of launching Microsoft’s first bug bounty program, she studied business, game theory, and other bounty programs to arrive at a proper payout price.

“Mozilla was one of the first companies to offer a bug bounty program, offering finders $500.” Moussouris says, “Google itself only started offering money in 2010, with a bounty of $1,337.”

But now that bounties have swollen into six figures, it’s more important than ever for companies like Apple to keep its employees happy. Moussouris notes that workers within the company find similar bugs multiple times each year, but don’t see such large payouts.

“There have been times where an Apple researcher has gone to their manager saying, ‘I found four bugs that you’d pay an outsider $200,000 for each. Can I at least get a bonus?'” says Moussouris. “The response, unfortunately, has been, ‘That’s what we pay you a salary for.'”

Moussouris says she ran into a similar problem at Microsoft when she devised a bug bounty prize of $100,000—matching the popular Pwn2Own hacker contest bounty at the time.

By paying too much to bug bounty hunters, companies can cannibalize their hiring, she says. “You won’t be able to get new recruits to come work for you full time and prevent bugs in the first place, when they could potentially earn an entire salary from winning a single bug bounty on their own.”

So, while Apple may be one of the richest companies in the world, the computer maker’s decision to cap its bounty at $200,000 could be seen as a sustainable one. And while the black market will always find a way to outbid Apple’s rewards, the iPhone-maker can devote its war chest toward keeping its security strong to begin with.

Update, July 31 1:15 p.m.: This story was updated from its original version to include a comment from Google.