Black Hat Las Vegas: Apple offers bug bounty programme
Apple's bug bounty program rolls out next month, only to selected researchers at first
On Thursday, Apple announced at Black Hat that it will begin offering up to $200,000 to researchers reporting critical security vulnerabilities in certain Apple software, including its underlying operating system iOS.
Ivan Krstic, head of security engineering at Apple, made the announcement of the Apple Security Bounty programme at a presentation at the cyber-security gathering in Las Vegas, now in its 19th year. He was presenting on three iOS security mechanisms – HomeKit, Auto Unlock and iCloud Keychain – technologies that handle sensitive user data.
While Apple has been less of a target for hackers than systems based on Windows, primarily owing to the dominance of Windows systems in the workplace as well as Apple's more stealthy security, the bug bounty offering is seen as a strategic move by the company to dissuade the selling of vulnerabilities on the underground market – whether to competitors or nation-state actors – looking for a backdoor into its coding.
Apple's bug categories and payouts:
When the bug bounty programme rolls out next month, only an invited list of around two dozen security researchers will be eligible. These individuals have worked with the company previously and are said to have not received financial reward for their disclosures. Others outside of this group who submit worthy flaws, will be considered as well, Apple said.
The company said it would pay up to $200,000 (£150,000) for critical flaws in the secure boot firmware components, up to $100,000 for exploits that could extract confidential data from the Secure Enclave Processor – the secure chip that performs cryptographic tasks in its iPhone 5s and later – $50,000 for vulnerabilities that can result in arbitrary code execution with kernel privileges, $50,000 for ways to access iCloud account data on Apple's servers without authorisation and $25,000 for bugs that give bad actors access from inside a sandbox process to user data outside of that sandbox.
Other major technology companies – including Microsoft, Facebook and Google – have long offered bug bounty programmes. (BugCrowd keeps a running tally of bug bounty and disclosure programmes.)
Google rewarded white hats last year with more than $2 million (£1.5m) for their discoveries, primarily for Android bugs. Facebook paid out more than $4 million (£3m) over the past five years. Up until yesterday's announcement, Apple relied instead on internal security teams, frustrating white hat hackers trying to help the company close off flaws and receive rewards.
Researchers submitting to the programme will need to provide proof-of-concept on the latest versions of iOS and Apple's latest hardware. If the researcher donates their award to a charitable foundation, Apple will match that donation.
Researchers might also be rewarded who share other exceptional critical vulnerabilities. Payment will be based on a number of factors, including the novelty of the bug disclosed, the chance of exposure and the extent of user interaction needed.
"This is a good start," Rich Mogull, analyst and CEO at Securosis, wrote on a blog post. "Apple didn't need a program, but can certainly benefit from one. This won't motivate the masses or those with ulterior motives, but it will reward researchers interested in putting in the extremely difficult work to discover and work through engineering some of the really scary classes of exploitable vulnerabilities."