Apple finally announces bug bounty program

Apple is finally going to monetarily reward security researchers for spotting and responsibly disclosing bugs in the company’s products.

Apple bug bounty program

The announcement that a bug bounty program is going to be set up by the company this September was made by Ivan Krstić, Apple’s head of security engineering and architecture, at Black Hat USA 2016.

His presentation was also rather uncharacteristic for Apple, as it included the sharing of details about several of the companies data protection and security technologies.

The Apple bug bounty program

Krstić revealed that the Apple bug bounty program will be invite-only at the beginning: only a few dozen researchers have been asked to participate.

Their names haven’t been revealed, but it is known that they have worked with Apple in the past. Still, he said that the company will accept bug reports from other bug hunters, if the found flaw is deemed critical enough.

In due time, everybody will be able to participate in the program, and its scope will widen, too.

For now, we know that Apple will pay a maximum of:

  • $200,000 for flaws in secure boot firmware components
  • $100,000 for flaws that allow the extraction of confidential material protected by the Secure Enclave
  • $50,000 for vulnerabilities that can lead to execution of arbitrary code with kernel privileges
  • $25,000 for holes that allow access from a sandboxed process to user data outside of that sandbox, and
  • $50,000 for vulnerabilities that can let attackers access to iCloud account data on Apple servers without authorization.

The actual reward amount will depend on the severity and exploitability of the bug. Apple will require researchers to submit a proof-of-concept exploit of the bag on the latest iOS version and hardware.

Why the change of heart?

While other tech giants like Google and Microsoft have been operating bug bounty programs for a while now, Apple has previously been reluctant to set up one.

So, what changed?

According to Krstić, Apple’s internal efforts at finding bugs have become much harder lately, as most of the “low-hanging” flaws seem to have been found and fixed.

So, the time has come to call in outside researchers to help with the finding of some of the most critical types of security vulnerabilities.

It’s also possible that the reports that the FBI has paid a bug hunter for a zero-day exploit that allowed them to access the encrypted contents of San Bernardino gunman’s has had something to do with it.

And, earlier this year, a team of Johns Hopkins University researchers discovered a zero-day flaw in Apple’s iOS encryption, and the world found out about how the AceDeceiver iOS malware exploits Apple design flaw to infect non-jailbroken devices.

Black Hat USA 2016