Digital and information security is something that everybody’s had to become all too familiar with over the past decade. As we carry around devices that themselves store everything from our friends’ contact details to our bank account information, it’s become ever more crucial that those devices be well secured against all possible intruders.

In general, Apple’s track record on security has been pretty solid. The App Store’s walled garden, while often the target of derision from competitors, has done an effective job of curtailing malware on the platform and the company issues frequent security updates to its products.

But even Apple isn’t without its security shortcomings, and a few recent incidents suggest ways that the company may need to go beyond just patching vulnerabilities in its software and change the procedures around how it deals with the people who uncover these exploits.

Bounty hunting

Apple came fairly late to the idea of a bug bounty program, which it only launched back in 2016. Competitors, both first- and third-party, have long offered these initiatives, in which security researchers are paid for uncovering specific types of exploits. Apple’s program offers a sliding scale of payments, depending on the severity of the bug: $200,000 for compromising the secure boot process, for example, all the way down to $25,000 for a way to violate the iOS sandbox. At launch, the company offered bounties for five different categories of exploit.

Here we run into the first problem. Those payouts, while they may sound it impressive to laypeople like us, are actually relatively small in comparison to what security researchers can get paid by selling those same exploits to other firms, some of which offer more than twice as much as what Apple will pay. Why? Because there are hundreds of millions of iOS devices out there and vulnerabilities—especially serious ones—are pretty rare. Intelligence and law enforcement agencies, among others, are always looking for ways to break into other people’s devices.

Step one would be for Apple to improve the payouts on its bugs. The company is far from cash poor, and even though it doesn’t want to have spend money it doesn’t have to, can it afford not to up its rewards when its biggest platform—and one where it’s not shy of boasting about its security—is at stake? This is just as much an investment in the company’s future as spending billions on research and development.

No dis-invitations!

Let’s assume that you are willing to sell your exploit to Apple for less money than you could get elsewhere, possibly out of a sense of doing the right thing. You may not be able to, because the bug bounty program is currently available only by Apple’s invitation.

That leads to situations like the recent Group FaceTime bug, which was initially uncovered by fourteen-year-old Grant Thompson, whose mother subsequently tried to report the bug to Apple. (After the bug became public and Thompson’s role became apparent, Apple paid a visit to the teenager, who will now receive the bounty.)