In 2011 I've already made a posting about vulnerabilities I've found in Apple's sites. This posting was called "Apple XSS Gallery" and I remember there was a lot of buzz around. (Posting was #1 on HN for a while). Today I was asking myself if something has changed.
Reportings per month for Apple
I've found most of the bugs in August 2011 and I've published the stories in November 2011 after Apple has fixed all issues. I think there are several reasons why the number of submissions has increased. Many big players (Google, Facebook, Paypal, Yandex, GitHub) had started a bug bounty program at this time and have attracted many people to get fame and some $$$.
14 SQL Injections and 5 Remote Code Executions
If we assume the list of vulnerabilities is complete, then a total issue count of 435 in the last years is pretty low. Is Apple doing a good job concerning security? I don't think so. When we compare the numbers with other programs, we can see, that the number of submissions for a rewarded bounty program is much higher. For example Google had 700 paid reports in the first year.
Find My Iphone API
I'm sure the missing rate-limit for brute-forcing passwords in the "Find My iPhone API" would have been found if Apple had paid for those bugs.
Apple has a market cap of 613.76 billion US-Dollar and isn't able to introduce a Vulnerability Reward Program like other major Internet companies.
This is sad.