Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Security Strategy, Plan, Budget, Vulnerability Management, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Apple to expand bug bounty program, offer researchers access to iOS, iPhones

Apple is drastically overhauling its bug bounty program, eliminating its invitation-only status, increasing its rewards, expanding it to include MacOS and other operating systems, and even agreeing to supply qualified researchers with special iPhones that are easier to probe for vulnerabilities.

Apple's head of security engineering Ivan Krstic announced these changes last week at the Black Hat cybersecurity conference in Las Vegas, according to multiple news reports.

The decision to provide hacker-friendly iPhones is a significant one, as Apple's protections make it notoriously painstaking for white-hats to dig deeply into iOS devices. According to a report from Forbes, this move could be a reaction to the spread of iOS "developer devices" to the black market. These dev devices are designed specifically for developer testing, and therefore lack the normal layers of protection found on a typical iPhone.

But once Apple launches its official iOS Security Research Device Program next year, ethical researchers will have access to specially coded phones that offer similar advantages to the dev devices that malicious actors can acquire on the black market.

Only a limited number of trusted researchers will be eligible to receive one of these phones. On the other hand, Apple this fall will be opening up its once invitation-only traditional bug bounty program to all researchers. Additionally, the Cupertino, California-based company is bolstering its financial rewards. Indeed, a persistent, kernel-level remote execution bug that requires no user interaction will now fetch as much as $1 million. Meanwhile a network attack that requires no user interaction will earn researchers $500,000.

Additionally, Apple is extending its bug bounty program to macOS, watchOS and Apple TV, Krstic reportedly announced.

Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.