Kaspersky, the well-known Russian cybersecurity firm, made headlines last year after uncovering an attack chain using four iOS zero-day vulnerabilities to create a zero-click exploit. Kaspersky identified and reported one of the vulnerabilities to Apple. However, Apple reportedly declined to pay the security bounty for the firm’s contribution.
9to5Mac Security Bite is brought to you exclusively by Mosyle, the only Apple Unified Platform. Making Apple devices work-ready and enterprise-safe is our specialty. Our unique integrated approach to management and security offers state-of-the-art Apple-specific security solutions for fully automated Hardening & Compliance, Next Generation EDR, AI-powered Zero Trust, and exclusive Privilege Management with the most powerful and modern Apple MDM on the market. Join over 45,000 organizations in trusting Mosyle to make millions of Apple devices work-ready effortlessly and affordably. Request your EXTENDED TRIAL today to experience why Mosyle is everything you need for working with Apple.
Big tech companies like Apple often use security bounty programs to incentivize researchers and hackers to find and report vulnerabilities to them instead of selling them to malicious actors, including nation-states.
“We found zero-day, zero-click vulnerabilities, transferred all the information to Apple, and did a useful job,” said Dmitry Galov, head of the Russian research center at Kaspersky Lab. “Essentially, we reported a vulnerability to them, for which they must pay a bug bounty.”
Galov suggested donating the bounty to charity, but Apple rejected this, citing internal policies without explanation. Research firms often donate bounty payments from large companies to charity, enhancing their reputation in the security community.
In 2023, Kaspersky exposed a highly sophisticated spying campaign, Operation Trigulation, which utilized four zero-day vulnerabilities to create a zero-click exploit. The attack allowed attackers to compromise iPhones and extract sensitive data without user knowledge.
Kaspersky’s research lab reverse-engineered one of the vulnerabilities in the attack chain, prompting Apple to release emergency security patches. The discovery could have earned a reward of up to $1 million through Apple’s Security Bounty Program.
The likely reason why
Being a Russian company, Kaspersky faced challenges due to U.S. sanctions against Russia. Additionally, Apple’s Security Bounty terms restrict payments to individuals in embargoed countries or on specific restricted party lists.
Despite the circumstances, the situation remains unfortunate. Apple’s decision not to pay the bounty raises questions about ethical obligations and reputation within the security community.
Follow Arin: Twitter/X, LinkedIn, Threads
More in this series
FTC: We use income earning auto affiliate links. More.
