In 2023, cybersecurity experts from Kaspersky Lab identified a vulnerability in Apple’s iOS that allowed hacking of any iPhone and installation of spy software. When such vulnerabilities are discovered, developers typically offer a Bug Bounty reward. However, Apple refused to pay the cybersecurity experts who had reported the vulnerability, a reward potentially totalling up to $1m.
According to RTVI, Dmitri Galov, head of the Russian research center Kaspersky Lab, reported that his company had discovered several critical zero-day vulnerabilities in iOS. These could be exploited remotely without user interaction. Despite providing this information to Apple, the company ignored its own Security Bounty program, denying the promised reward of up to $1m.
Galov mentioned that the discovered vulnerabilities were actively exploited by cybercriminals in a large-scale cyber espionage campaign named “Operation Triangulation.” The objective was espionage: intelligence gathering from infected iPhones, including geolocation, files, photos, videos, audio recordings and more. Owners of iPhones worldwide, including embassy and diplomatic mission employees, were victims of this attack. The exploit was launched via incoming messages, requiring no action from the user.
Kaspersky Lab’s experts theorise the large-scale cyber espionage campaign was backed by commercial structures or state special services, but concrete evidence was yet to be found.
After the discovery was confirmed and published, Apple released updates to fix these vulnerabilities, CVE-2023-32434 and CVE-2023-32435, in iOS. They even mentioned the Kaspersky personnel who found them. However, they ignored their bounty program and did not pay the due reward to the Russian security experts. The spy software posed a threat to all iOS versions prior to iOS 15.7.
Kaspersky Lab stated they do not require monetary reward from Apple, and often donate such funds to charity. Apple, however, refused to even pay charities citing internal policies without explanation.
Following the incident, Kaspersky Lab decided to stop using Apple devices entirely, opting for smartphones and tablets running Android OS. Dmitri Galov stated that Android offers more opportunities for security and device control.
Apple has not yet commented on the situation of refusing to pay the promised reward under their own advertised Security Bounty program.