“We found zero-day, zero-click vulnerabilities, transferred all the information to Apple, and did a useful job,” Dmitry Galov, head of the Russian research center at Kaspersky Lab, told Russian news outlet RTVI. “Essentially, we reported a vulnerability to them, for which they must pay a bug bounty.”
Galov even proposed that Kaspersky donate the bounty to charity, but Apple rejected this, citing internal policies without explanation. It’s not uncommon for research firms to donate bounty payments from large companies to charity. Some perceive it as an extension of their ethical obligation, but it undeniably contributes to a positive reputation within the security community.
“Considering how much information we provided them and how proactively we did it, it is unclear why they made such a decision.”
Galov’s statement is plainly wrong. The very first line in Apple’s bug bounty program terms and conditions states that awards are granted solely at their exclusive discretion.
“We found zero-day, zero-click vulnerabilities, transferred all the information to Apple, and did a useful job,” Dmitry Galov, head of the Russian research center at Kaspersky Lab, told Russian news outlet RTVI. “Essentially, we reported a vulnerability to them, for which they must pay a bug bounty.”
Galov even proposed that Kaspersky donate the bounty to charity, but Apple rejected this, citing internal policies without explanation. It’s not uncommon for research firms to donate bounty payments from large companies to charity. Some perceive it as an extension of their ethical obligation, but it undeniably contributes to a positive reputation within the security community.
“Considering how much information we provided them and how proactively we did it, it is unclear why they made such a decision.”