Apple has come under scrutiny after being accused by Kaspersky, a prominent cybersecurity company in Russia, of refusing to pay a reward for uncovering a serious security vulnerability on iOS. Kaspersky reported that Apple declined to compensate them for their discovery of a significant zero-day vulnerability, part of a complex espionage campaign dubbed ‘Operation Triangulation’. Despite proactively sharing detailed information about the vulnerability with Apple and offering to donate the bounty to charity, Kaspersky stated that Apple refused to provide a specific explanation.
This zero-day vulnerability is one of four exploited in the Triangulation campaign, allowing attackers to compromise and gain complete control of affected iPhone devices. Kaspersky even reverse-engineered one of the vulnerabilities in the attack chain, named CVE-2023-38606, revealing that the iOS operating system kernel core is utilized to execute arbitrary code and elevate user privileges. Kaspersky’s analysis and reporting of this vulnerability assisted Apple in issuing an emergency security patch.
Apple’s bounty program offers rewards of up to $1 million for the discovery of zero-day vulnerabilities. However, the speculation is that due to Kaspersky being headquartered in Russia, a country under US sanctions, Apple may be unable to pay the reward.
Apple’s decision has sparked controversy in the cybersecurity community, with some experts suggesting that Apple should adopt a more flexible approach, such as donating the prize money to charity on behalf of Kaspersky, to comply with sanctions.
