How secure is Apple?

Since 2005 Apple has been listing all responsible disclosed vulnerabilities (web application security) on a dedicated page. There are in total 435 bugs listed, reported by hundreds of individuals.

In 2011 I've already made a posting about vulnerabilities I've found in Apple's sites. This posting was called Apple XSS Gallery and I remember there was a lot of buzz around. (Posting was #1 on HN for a while).

Today I was asking myself if something has changed.


I've found most of the bugs in August 2011 and I've published the story in November 2011 after Apple has fixed all issues. I think there are several reasons why the number of submissions has increased. Many big players (Google, Facebook, Paypal, Yandex, GitHub) had started a bug bounty program at this time and have attracted many people to get fame and some $$$.

14 SQL Injections and 5 Remote Code Executions


If we assume the list of vulnerabilities is complete, then a total issue count of 435 in the last years is pretty low. Is Apple doing a good job concerning security? I don't think so. When we compare the numbers with other programs, we can see, that the number of submissions for a rewarded bounty program is much higher. For example Google had 700 paid reports in the first year.

Find My Iphone API


I'm sure the missing rate-limit for brute-forcing passwords in the Find My iPhone API would have been found if Apple had paid for those bugs.

Apple has a market cap of $613.76 billion US-Dollar and isn't able to introduce a Vulnerability Reward Program like other major Internet companies.

This is sad.