Respond to prefers-color-scheme dark in app web views

Follow section front redirects in Spectrum

Enable NLP source in PCS for load testing

Switch off the News Alerts Survey Widget when we have enough responses

Poll to determine if new LUF updates are available

Allows the winning A/B test variant to be turned on without Spectrum deployment

Show infinite scrolling sections in Assembler MultiView

Show option for NLP article summaries in Action Bar

A general feature flag for Recipe Features that aren't yet released

Feature flag for media team features that aren't yet released

Use new Orca video player for preroll plugin in Spectrum

Show the snow tracker (instead of the heat tracker) on Spectrum

This is the technology we’re loving right now

NASA moon capsule suffered extensive damage during 2022 test flight

Microsoft is changing how you log in to your accounts

The dangerous new call for regime change in Beijing

Ukrainian men abroad voice anger over pressure to return home to fight 

U.K. local election results could spell doom for Conservative Party

The New York Times, alone in its outrage over access to Biden

Wait, what is Stephen A. Smith talking about? Find out with our quiz.

Stephen A. Smith would like even more of your attention

Is Pastis as good as our food critic thought? He sent spies to find out.

Trevor Williams’s escape act helps Nationals blank Rangers 

Nationals can’t solve Nate Eovaldi, drop series finale to Rangers

Teen grabs wheel when driver passes out and school bus veers into traffic

Cat climbed into Amazon return box, found alive 630 miles away

I learned to heal my sadness by cradling dying chickens 

Hope Hicks witnessed nearly every Trump scandal. Now she must testify.

Elections 2024 latest news: Biden to honor distinguished Americans; Trump back in N.Y. court

To the Gaza protesters helping to elect Trump: Give it a rest

An I bond is now at 4.28 percent. Are they still a good deal?

Use these 6 points to say no to a college you and your kid can’t afford

How this new rule protects retirement savers from costly advice

On Press Freedom Day, little to celebrate for Hong Kong’s journalists

Young Georgians want to be part of Europe. Their government is in the way.

Taxes are inevitable. Paying to prepare them doesn’t have to be.

Miss Manners: Host eats luxurious breakfast, leaves cereal for guest

Ask Amy: Should I be the best man if I think the bride is abusive?

Carolyn Hax: Husband keeps pushing modest spouse to wear sexier clothes

You asked: Do I need a passport for my cruise?

What’s the best bus to New York? We tested 5 for comfort and value.

Adaptive equipment is making national parks more inclusive

Riot police and over 2,000 arrests: A look at 2 weeks of campus protests

Hope on the horizon | The Trump Trials: Sidebar

Police break into UCLA encampment

Big Tech news and how to take control of your data and devices

See more coverage in your recommendations

Technology

Tips delivered to your inbox twice weekly

The Tech Friend newsletter

Business and Tech alerts

Hoping to discover hidden weaknesses, Apple for five years now has invited hackers to break into its services and its iconic phones and laptops, offering up to $1 million to learn of its most serious security flaws.

Across the tech industry, similar “bug bounty” programs have become a prized tool in maintaining security — a way to find vulnerabilities and encourage hackers to report them rather than abuse them.

But many who are familiar with the program say Apple is slow to fix reported bugs and does not always pay hackers what they believe they’re owed. Ultimately, they say, Apple’s insular culture has hurt the program and created a blind spot on security.

“It’s a bug bounty program where the house always wins,” said Katie Moussouris, CEO and founder of Luta Security, which worked with the Defense Department to set up its first bug bounty program. She said Apple’s bad reputation in the security industry will lead to “less secure products for their customers and more cost down the line.”

Apple said its program, <a href="https://www.vice.com/en/article/qvapxq/apple-iphone-bug-bounty-payments" target=_blank>launched in 2016</a>, is a work in progress. Until 2019, the program was not officially opened to the public, although researchers say the program was never exclusive.

“The Apple Security Bounty program has been a runaway success,” Ivan Krstic, head of Apple Security Engineering and Architecture, said in an emailed statement. Apple has nearly doubled the amount it has paid in bug bounties this year compared to last, and it leads the industry in the average amount paid per bounty, he said.

“We are working hard to scale the program during its dramatic growth, and we will continue to offer top rewards to security researchers working with us side by side to protect our users and their data on more than a billion Apple devices around the world,” he added.

In interviews with more than two dozen security researchers, some of whom spoke on the condition of anonymity because of nondisclosure agreements, the approaches taken by Apple’s rivals were held up for comparison. Facebook, Microsoft and Google <a href="https://security.googleblog.com/2021/07/a-new-chapter-for-googles-vulnerability.html" target=_blank>publicize </a>their programs and <a href="https://www.facebook.com/whitehat/thanks/" target=_blank>highlight</a> security researchers who <a href="https://msrc-blog.microsoft.com/2021/07/08/microsoft-bug-bounty-programs-year-in-review-13-6m-in-rewards/" target=_blank>receive bounties</a> in blog posts and <a href="https://bughunters.google.com/leaderboard" target=_blank>leader boards</a>. They <a href="https://msrc-blog.microsoft.com/category/bluehat/" target=_blank>hold conferences</a> and <a href="https://m.facebook.com/nt/screen/?params=%7B%22note_id%22%3A2726563500926112%7D&path=%2Fnotes%2Fnote%2F&refsrc=deprecated&_rdr" target=_blank>provide resources</a> to encourage a broad international audience to participate.

And most of them pay more money each year than Apple, which is at times the world’s most valuable company. Microsoft<a href="https://msrc-blog.microsoft.com/2021/07/08/microsoft-bug-bounty-programs-year-in-review-13-6m-in-rewards/" target=_blank> paid $13.6 million</a> in the 12-month period beginning July 2020. Google paid $6.7 million in 2020. Apple spent $3.7 million last year, Krstic said in his statement. He said that number is likely to increase this year.

Payment amounts aren’t the only measure of success, however. The best programs support open conversations between the hackers and the companies. Apple, already known for being tight-lipped, limits communication and feedback on why it chooses to pay or not pay for a bug, according to security researchers who have submitted bugs to the bounty program and a former employee who spoke on the condition of anonymity because of a nondisclosure agreement.

Apple also has a massive backlog of bugs that it hasn’t fixed, according to the former employee and a current employee, who also spoke on the condition of anonymity because of an NDA.

“You have to have a healthy internal bug fixing mechanism before you can attempt to have a healthy bug vulnerability disclosure program,” said Moussouris, who helped create Microsoft’s bug bounty program. She says she asks prospective clients, “What do you expect is going to happen if they report a bug that you already knew about but haven’t fixed? Or if they report something that takes you 500 days to fix it?”

The unfriendly nature of its bug bounty program has discouraged some security researchers from pointing out flaws to Apple, these people said. That’s prompted some to <a href="https://www.vice.com/en/article/gybppx/iphone-bugs-are-too-valuable-to-report-to-apple" target=_blank>sell them to “gray market”</a> customers like government agencies or companies that sell sophisticated hacking services, or go public without notifying Apple, which could put customers at risk.

Cedric Owens, 39, earlier this year chose to tell Apple when he found a massive flaw that allowed hackers to <a href="https://gizmodo.com/update-your-mac-right-now-to-avoid-this-massive-securit-1846765391" target="_blank">install malicious software</a> on Mac computers, <a href="https://cedowens.medium.com/macos-gatekeeper-bypass-2021-edition-5256a2955508" target="_blank">bypassing Apple’s security measures</a>. Patrick Wardle, an expert in Mac security, said in a blog post that the vulnerability put Mac users “<a href="https://objective-see.com/blog/blog_0x64.html" target="_blank">at grave risk</a>.” And Jamf, a cybersecurity firm, said it found evidence that hackers were <a href="https://www.jamf.com/blog/shlayer-malware-abusing-gatekeeper-bypass-on-macos/" target="_blank">already using it</a>.

Apple’s bug bounty program offers $100,000 for attacks that gain “unauthorized access to sensitive data.” Apple defines sensitive data as access to contacts, mail, messages, notes, photos or location data. While Owens’s hack didn’t allow access to those specific areas, Owens and others in the industry argued that the data hackers were getting was, indeed, sensitive. Owens created a hypothetical attack that gave hackers access to the victim’s files. He said in an interview that it could have hypothetically allowed hackers to access corporate servers, if the target computer were used by a corporation. That would be valuable in use for <a href="https://www.washingtonpost.com/business/2021/05/12/ransomware-attack/" target="_blank" class="contextual_link">ransomware</a> attacks, for instance.

Apple paid the Charlotte-based security researcher $5,000, or 5 percent of what Owens believed he deserved, he said. Apple declined to reconsider. While he said he will continue to submit bugs despite a higher payout on the gray market, other researchers probably won’t. Apple declined to comment on Owens’s bug bounty.

“The end result could be more gaping holes in Apple’s processes and in their products they’re releasing,” he said.

Apple’s Krstic said the company has gathered feedback and would “continue to scale and improve” what it said was a rapidly growing program, reducing response times and improving communication.

“We are also planning to introduce new rewards for researchers to keep expanding participation in the program, and we are continuing to investigate paths to offer new and even better research tools that meet our rigorous, industry-leading platform security model,” he added.

Despite the hype, iPhone security no match for NSO spyware

The security of Apple products, particularly iPhones, has come under more scrutiny after revelations this summer by the <a href="https://www.washingtonpost.com/investigations/2021/07/18/takeaways-nso-pegasus-project/" target=_blank>Pegasus Project</a>, an investigation by The Washington Post and 16 other media organizations that showed how software licensed by the Israeli company NSO Group had been used to hack phones belonging to human rights advocates, journalists and politicians. The investigation uncovered forensic evidence of successful or attempted hacks on <a href="https://www.washingtonpost.com/technology/2021/07/19/apple-iphone-nso/" target=_blank>34 iPhones</a>, including the latest models with the latest updates.

“Apple unequivocally condemns cyberattacks against journalists, human rights activists, and others seeking to make the world a better place,” Krstic said in a <a href="https://www.washingtonpost.com/technology/2021/07/19/apple-iphone-nso/" target=_blank>statement</a> at the time.

Krstic pushed for Apple’s program to be implemented in 2016, when select researchers were allowed to submit bugs in exchange for payment. In 2019, Apple opened the program to all researchers and announced that it would begin paying up to $1 million to anyone who could hack an iPhone remotely, without requiring the target to do anything (many hacks require clicking on a link or email).

It also announced it would provide “<a href="https://9to5mac.com/2020/07/22/apple-security-research-device-program/" target=_blank>security research devices</a>” — special iPhones designed for security research — to people who have a proven track record of finding bugs.

Apple declined to say how many of the devices it has given to researchers or whether it has paid a $1 million bounty.

Jeff Bezos’s iPhone had Apple’s state-of-the-art security, and that may have helped its alleged hackers

Sam Curry, a prominent 21-year-old security researcher in Omaha, <a href="https://samcurry.net/hacking-apple/" target="_blank">set his sights on Apple’s bug bounty program</a> last summer. He and four friends got together for late-night, soda-fueled hacking sessions, poking holes in Apple’s defenses. The group submitted a new bug every couple of days. Apple paid $50,000 for one of the bugs, and, in all, they earned about $500,000, Curry said.

The group was so successful, collecting at least 13 percent of what Apple paid in bug bounties over the course of the year, that Apple took notice, Curry said. He had conversations with some of the security researchers at the company. He said the time it takes Apple to pay researchers for bug bounties is too long compared with the rest of the industry.

“I think they’re aware of how they’re seen in the community, and they’re trying to move forward,” Curry said.

On the list: Ten prime ministers, three presidents and a king

Apple, according to some of the people, hired a new leader for its bug bounty program this year with the goal of reforming it. Apple declined to make the person, who works under Krstic, available for an interview.

In the endless and messy global war over Internet security, even the most vigilant companies have seen their defenses fall at the hands of nameless and faceless foes. Apple is no exception. This year alone, Apple has patched <a href="https://therecord.media/apple-releases-fix-for-ios-and-macos-zero-day-13th-this-year/" target=_blank>13 zero-day exploits</a>, or previously unknown security vulnerabilities, that could have been used by malicious hackers to breach its devices.

Nevertheless, Apple is considered a leader in cybersecurity and has implemented advanced techniques, such as specialized microprocessors in iPhones devoted to stopping hacks. IPhones are often compared favorably to competing handsets running Google’s Android, including in Apple’s <a href="https://www.cnet.com/tech/mobile/apple-mocks-android-again-in-new-ads/" target=_blank>advertisements</a>.

The security of iPhones is one of Apple’s key marketing claims. One company advertisement around 2017<a href="https://www.youtube.com/watch?v=kQcq3rpne78" target=_blank> depicted a burglar</a> easily breaking into the “competing” mobile operating system and then being locked out of iOS.

The FBI wanted to unlock the San Bernardino shooter’s iPhone. It turned to a little-known Australian firm.

But there is one aspect of cybersecurity that doesn’t mix with Apple’s cultural DNA. The field of cybersecurity grew out of a hacker culture in which the open and free flow of information is among the most important values.

The open nature of the cybersecurity industry contrasts with Apple’s corporate culture. The company, like its competitors, prefers to keep its products secret until they’re released. The methods Apple uses to ensure secrecy are more stringent than those employed by its peers. For instance, Apple employees are told not to discuss their work even with co-workers.

“It’s not a surprise they haven’t embraced this public security researcher culture until recently, when their hand was forced into launching a bug bounty program,” said Jay Kaplan, a founder and the chief executive of Synack, which helps companies crowdsource vulnerabilities in critical technology. Kaplan said researchers weren’t coming to Apple to report bugs. “Instead, they were going to security conferences and speaking about it publicly and selling it on the black market,” he said.

Indeed, some researchers think Apple would prefer not to see its software picked apart by researchers, even if the result is that more flaws are fixed. Apple makes it as difficult as possible for researchers to remove software protections that limit the kinds of research that can be conducted on iPhones. According to the current and former security employees, the company’s view is that such protections make its phones more secure.

Apple is appealing its loss in a federal copyright lawsuit against <a href="https://www.washingtonpost.com/technology/2020/12/29/apple-corellium-lawsuit/" target=_blank>a small Florida company called Corellium</a> that makes a tool that allows researchers more easily to <a href="https://www.washingtonpost.com/technology/2021/08/16/apple-corellium-child-porn-iphone/" target=_blank>search for flaws</a> in iPhone software.

Google uncovers 2-year iPhone hack that was ‘sustained’ and ‘indiscriminate’

Tian Zhang, an iOS software engineer, first reported a bug to Apple in 2017. After months of waiting for Apple to fix the bug, Zhang lost patience and decided to blog about his discovery. The second time he reported a security flaw, he says, Apple fixed it but ignored him. In July, Zhang submitted another bug to Apple that he says was eligible for a reward. The software was quickly fixed, but Zhang didn’t receive a reward. Instead, he was kicked out of the Apple Developer Program. Membership in the program is required to be able to submit apps to the App Store. Apple did not comment on Zhang’s allegations.

“It’s a mixed feeling,” Zhang said in an interview. “On one side, as an engineer, you want to make sure the products you’re building are safe for other people,” he said. On the other hand, he says, “it seems like Apple thinks people reporting bugs are annoying and they want to discourage people from doing so.”

Alex Rice, chief technology officer and co-founder of HackerOne, which provides bug bounty services to companies, said it can take time to fix bugs in more complicated software systems but that it is important to educate researchers on why it is taking so long. “It takes a little bit of good faith. And it takes a little bit of transparency and collaboration,” he said. Still, “faster is always better.”

Despite Apple’s bounty program, there continues to be a big market for vulnerabilities on Apple devices. Researchers can sell exploits for iPhones for as much as $2 million, according to a price list <a href="http://zerodium.com/program.html" target=_blank>published by Zerodium</a>, a company that buys and sells exploits for use by firms such as NSO Group. The same kind of exploit for Google’s Android operating system goes for $2.5 million.

People who have sold exploits to companies like Zerodium told The Post that they view the price list as a rough proxy of how difficult it is to find an exploit. The higher the price, the more secure the operating system. But there is no objective way to measure or compare iOS security to Android, in part because the people buying and selling the exploits keep that information secret. Zerodium, which says on its website that it sells to government agencies, mainly in Europe and North America, did not respond to a request for comment.

The Wayback Machine, a service run by the Internet Archive, which saves old webpages, shows how quickly the difficulty of hacking Android devices increased in five years. In 2016, Zerodium would pay only $200,000 for the most valuable exploit.

Dave Aitel, a former National Security Agency research scientist and co-author of “<a href="https://www.amazon.com/gp/product/0849308887?ie=UTF8&tag=thewaspos09-20&camp=1789&linkCode=xm2&creativeASIN=0849308887" target=_blank>The Hacker’s Handbook</a>,” said Apple’s closed-off approach hinders its security efforts.

“Having a good relationship with the security community gives you a strategic vision that goes beyond your product cycle. It lets you know what’s coming down the pike,” he said. “Hiring a bunch of smart people only gets you so far.”

Apple is prying into iPhones to find sexual predators, but privacy activists worry governments could weaponize the feature

Some of Apple’s poor reputation in the bug bounty world could be improved with some minor changes, according to experts in the field.

Casey Ellis, founder of Bugcrowd, an Australian firm that operates bug bounty programs for companies, said one “core rule” in the industry is that if a company changes its code in response to a bug report, it should pay the person who reports it, even if it doesn’t meet the company’s strict interpretation of the guidelines.

“The more good faith that goes on, the more productive bounty programs are going to be,” he said.

Other big Silicon Valley companies have worked for years to earn favor in the research world. Facebook and Google co-host a conference called BountyCon, which is aimed at bringing security researchers with different skills together to collaborate and identify talent through the two companies’ bug bounty programs.

Nicolas Brunner was developing an app for the Swiss Federal Railways last year that would help blind people navigate the train system. While testing the app, Brunner noticed that even if users declined to share their location, he could still see their every move.

Brunner had stumbled upon a <a href="https://medium.com/macoclock/apple-security-bounty-a-personal-experience-fe9a57a81943" target=_blank>serious security bug</a> in Apple’s location tracking system, he said in an interview. A colleague recommended he submit it to Apple’s bug bounty program.

Expecting to be paid somewhere around $50,000, Brunner told his 30 colleagues that when he received his check, he would throw a barbecue for all of them. Apple thanked him for reporting the bug and said it would credit him with finding it. But eight months later, Apple responded to Brunner with disappointing news: His bug did not qualify for the program, despite Apple’s <a href="https://developer.apple.com/security-bounty/payouts/" target=_blank>promising rewards</a> ranging from roughly $25,000 to $100,000 for flaws that allow access to “sensitive data,” including “real-time or precise location data.” After months of delays, Apple decided not to pay him at all, saying the bug he had found did not qualify for the program.

“I like the idea of Apple’s bug bounty program. I don’t like the implementation,” Brunner said in an interview.

“When we make mistakes, we work hard to correct them quickly, and learn from them to rapidly improve the program,” Krstic said in the statement when asked to comment on Brunner’s case.

New York Press Club award for sports news; National Headliner Award for sports writing; Gold Medal for the Axiom Business Book Awards

"Wheelmen: Lance Armstrong, The Tour de France and the Greatest Sports Conspiracy Ever." 

San Diego State University, BA

Reed Albergotti is The Washington Post's consumer electronics reporter, taking readers inside powerful and secretive companies such as Apple and shedding light on the murky and global industry responsible for building the myriad devices that touch every aspect of our lives. He spent 12 years at the Wall Street Journal and four at the Information. 