ZDnet points out that other major companies like Amazon and Microsoft and prominent startups like Uber and Airbnb have had bug bounty programs for many years and have been paying ethical hackers who find holes in their products and services.
Advertisement
The offer was presented at Black Hat, a large computer security conference, where the audience burst into applause when Apple’s security engineer Ivan Krstć flashed a slide with the announcement on the screen.
Apple will pay up to $200,000 for critical flaws in the secure boot firmware components, up to $100,000 for exploits that can extract confidential material from the Secure Enclave Processor – the secure chip that performs cryptographic operations in iPhone 5s and later, $50,000 for bugs that can result in arbitrary code execution with kernel privileges, $50,000 for ways to access iCloud account data on Apple’s servers without authorization, and $25,000 for vulnerabilities that provide access from inside a sandbox process to user data outside of that sandbox.
I understand the need to limit – at least initially – involvement in the bounty program, but I do hope Apple commits to expanding the individuals and groups involved quickly. iOS as a platform deserves as many eyes on it as possible.
The program will start as invitation-only so as to eliminate a flood of fake submissions, but if a party discloses an important bug to Apple they will be invited into the program.
Although it’s great that Apple is introducing a security bounty, it’s worth noting that the company has taken its time getting here. Apple is also one of the last big companies to launch a security rewards program. And the Federal Bureau of Investigation implied earlier this year it paid $1 million to an outside firm to gain access to the phone of San Bernardino shooter Syed Farook. That’s harder than simply submitting bugs that might be critical and leaving it to the company investigate. “I think they’re just slightly controlling it to begin with”.
Still, a bug bounty program could prove to be better than none at all, as more vulnerabilities could be reported to Apple instead of simply floating around, waiting to be discovered and exploited by hackers with bad intentions. Bad programs pay poorly, and patches don’t appear for months.
Jailbreakers have also used Apple vulnerabilities to allow access to the iPhone.
Advertisement
“Since proving exploitability with a repeatable proof of concept is far more labor intensive than merely finding a vulnerability, pay the researchers a fair value for their work”, Mogull said in a post. Find exploitable bugs in key areas they consider a priority. In an unusual move, Apple will encourage people who receive rewards to donate them to charity, and the Cupertino company will match donations to approved institutions.
