I'm not familiar with the market but these seem low when you consider:
- The effort required to find them
- The damage that can be inflicted on Apple in terms of brand goodwill and the subsequent loss of sales, e.g. The SEP implications for ApplePay
- The damage that can be inflicted on users and 3rd parties, e.g. imagine the amount of cash banks would be on the hook for if someone managed to say write a worm that used iMessage/SMS to propagate without user knowledge (e.g. with the recent TIFF vulnerability), and transfer funds from the user's bank account? Or made calls to the baseband to dial shady $10/minute premium rate numbers in some banana republic at 3AM every night?
- The amount of money TLAs and black market actors allegedly pay per the TC article.
- How much money Apple actually has, especially all the offshore cash that can't be repatriated to the US without incurring exorbitant capital gains. These bug bounties could be be remitted from any Apple subsidiary.
- Large bug bounties would de facto end jailbreaking
- Knowing Apple there would be endless NDAs and restrictive covenants before any payout is made.
IMO with all this considered the max payouts seem irrationally paltry.
As tptacek loves to point out, the point of bug bounty programs is not to compete on price with the black market. And in fact, according to the article, the $200k Apple is offering is one of the highest for corporate bug bounty programs already.
That $200k boot ROM bounty might be the single instance I know of where a stated bounty value might be lower than the actual market for the vulnerability. If you were slick, you might make more from that bug than Apple would pay with the bounty. That is a bug class with a current, existing, liquid market.
The rest of them seem more than reasonable.
None of them are adequate compensation for the full-time work of someone who can find those kinds of bugs. Nor are they meant to be. If you can, for instance, find a bug that allows you to violate the integrity of the SEP, you have a market value as a consultant significantly higher than that $100k bug bounty --- which will become apparent pretty quickly after Apple publicly thanks you for submitting the bug, as they've promised to do.
No doubt there's going to be some low-hanging fruit (speaking relative to the experience of the participants) that is going to get scooped up quickly, so why would they open the program at something higher? Just high enough to entice the experts to pick off the "easy" ones seems the intelligent thing to do.
When they go a year or two with no bugs found maybe you'll see them start upping the bid.
- The effort required to find them
- The damage that can be inflicted on Apple in terms of brand goodwill and the subsequent loss of sales, e.g. The SEP implications for ApplePay
- The damage that can be inflicted on users and 3rd parties, e.g. imagine the amount of cash banks would be on the hook for if someone managed to say write a worm that used iMessage/SMS to propagate without user knowledge (e.g. with the recent TIFF vulnerability), and transfer funds from the user's bank account? Or made calls to the baseband to dial shady $10/minute premium rate numbers in some banana republic at 3AM every night?
- The amount of money TLAs and black market actors allegedly pay per the TC article.
- How much money Apple actually has, especially all the offshore cash that can't be repatriated to the US without incurring exorbitant capital gains. These bug bounties could be be remitted from any Apple subsidiary.
- Large bug bounties would de facto end jailbreaking
- Knowing Apple there would be endless NDAs and restrictive covenants before any payout is made.
IMO with all this considered the max payouts seem irrationally paltry.