Apple announced a bug bounty program on Thursday, a much-needed departure from the past. The program will pay up to US$200,000 for vulnerability reports on Apple software. In another departure, Apple made the announcement at the annual Black Hat security conference in Las Vegas. Apple hasn’t given a presentation at the event in four years.
Apple was a lone standout in not having a bug bounty program. Such programs are designed to reward researchers for finding vulnerabilities. More importantly, bug bounties keep some researchers from selling those vulnerabilities to criminals and foreign governments.
Details on Apple Bug Bounty Program
According to TechCrunch, Apple has five categories of bounties, each with a different maximum payout:
- Vulnerabilities in secure boot firmware components: Up to $200,000
- Vulnerabilities that allow extraction of confidential material from Secure Enclave: Up to $100,000
- Executions of arbitrary or malicious code with kernel privileges: Up to $50,000
- Access to iCloud account data on Apple servers: Up to $50,000
- Access from a sandboxed process to user data outside the sandbox: Up to $20,000
Apple will determine the total bounty (up to that maximum) on a case by case basis. The company will be considering, “the clarity of the vulnerability report; the novelty of the problem and the likelihood of user exposure; and the degree of user interaction necessary to exploit the vulnerability.”
Apple is also throwing a wrinkle into its program by being willing to match the bounty if the researchers donate it to charity. That means Apple could end up paying as much as $400,000 per bounty. It will be interesting to see if any researchers take up the offer.
The Security World
Hackers and researchers alike have long had a complex relationship with Apple. For many years, they complained the company was closed, secretive, and too slow to respond to the vulnerabilities they reported. Apple began working on that several years ago, beefing up its hires in the area and working hard be more responsive to that community.
But the lack of a bounty program still rankled researchers who felt like their efforts were largely unthanked and certainly unrewarded. Apple has apparently reached a point where it’s willing to change that, at least to a point. The program is being launched as an invitation-only affair, and only those who have already submitted “valuable vulnerabilities” will get an invite.
The thing is that Apple has always gotten vulnerability reports, but those vulnerabilities are becoming more and more valuable. Authoritarian regimes and surveillance-state democracies alike have teams of highly paid brainiacs tasked with finding exploits. Criminals are willing to pay more and more for zero day vulnerabilities, too, because they can reap ever-higher financial gains from compromising our devices.
The FBI reportedly paid more than a million dollars for the exploit that was used to crack Sayed Farouk’s work iPhone.
The reality is that not even Apple can compete with governments when it comes to paying for vulnerability reports. But there are a lot of researchers and hackers who just want to make our stuff more secure. Apple’s bug bounty program will reward some of that work and hopefully divert even more vulnerabilities Apple’s way so they can be patched.
As such, this is great news.