Network Security, Patch/Configuration Management, Vulnerability Management

Apple offers bug bounty program

On Thursday, Apple announced at Black Hat that it will begin offering up to $200,000 to researchers reporting critical security vulnerabilities in certain Apple software, including its underlying operating system iOS.

Ivan Krstic, head of security engineering at Apple, made the announcement of the Apple Security Bounty program at a presentation at the cybersecurity gathering in Las Vegas, now in its 19th year. He was presenting on three iOS security mechanisms – HomeKit, Auto Unlock and iCloud Keychain – technologies that handle sensitive user data.

While Apple has been less of a target for hackers than systems based on Windows, primarily owing to the dominance of Windows systems in the workplace as well as Apple's more stealthy security, the bug bounty offering is seen as a strategic move by the company to dissuade the selling of vulnerabilities on the underground market – whether to competitors or nation-state actors – looking for a backdoor into its coding.

Apple's bug categories and payouts:

  • Secure boot firmware components: up to $200,000. 
  • Extraction of confidential material protected by the Secure Enclave: up to $100,000. 
  • Execution of arbitrary code with kernel privileges: up to $50,000.
  • Unauthorized access to iCloud account data on Apple servers: up to $50,000. 
  • Access from a sandboxed process to user data outside that sandbox: up to $25,000.

When the bug bounty program rolls out next month, only an invited list of around two dozen security researchers will be eligible. These individuals have worked with the company previously and are said to have not received financial reward for their disclosures. Others outside of this group who submit worthy flaws, will be considered as well, Apple said.

The company said it would pay up to $200,000 for critical flaws in the secure boot firmware components, up to $100,000 for exploits that could extract confidential data from the Secure Enclave Processor – the secure chip that performs cryptographic tasks in its iPhone 5s and later, $50,000 for vulnerabilities that can result in arbitrary code execution with kernel privileges, $50,000 for ways to access iCloud account data on Apple's servers without authorization, and $25,000 for bugs that give bad actors access from inside a sandbox process to user data outside of that sandbox.

Other major technology companies –  including Microsoft, Facebook and Google – have long offered bug bounty programs. (BugCrowd keeps a running tally of bug bounty and disclosure programs.) Google rewarded white hats last year with more than $2 million for their discoveries, primarily for Android bugs. Facebook paid out more than $4 million over the past five years. Up until yesterday's announcement, Apple relied instead on internal security teams, frustrating white hat hackers trying to help the company close off flaws and receive rewards.

Researchers submitting to the program will need to provide proof-of-concept on the latest versions of iOS and Apple's latest hardware. If the researcher donates their award to a charitable foundation, Apple will match that donation.

Researchers might also be rewarded who share other exceptional critical vulnerabilities. Payment will be based on a number of factors, including the novelty of the bug disclosed, the chance of exposure and the extent of user interaction needed.

"This is a good start," Rich Mogull, analyst and CEO at Securosis, wrote on a blog post. "Apple didn't need a program, but can certainly benefit from one. This won't motivate the masses or those with ulterior motives, but it will reward researchers interested in putting in the extremely difficult work to discover and work through engineering some of the really scary classes of exploitable vulnerabilities."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.