Apple Expands Bug Bounty; Raises Max Reward to $1 MillionCompany Will Give Some Security Experts Access to Special Devices
Apple is opening up its bug bounty program to more researchers, increasing the potential rewards and expanding the pool of qualifying products in a bid to attract tips on critical software flaws.
Ivan Krstić, head of Apple's security engineering and architecture, announced the changes last week at the Black Hat security conference in Las Vegas.
Due to launch next year, the program will give vetted researchers special iOS devices that allow them to hunt for hard-to-find vulnerabilities. Security industry veterans praised the move because Apple had been criticized for being somewhat aloof to outside researchers.
"Dear Apple PR: @radian did a fantastic job representing your brand today," writes Alex Stamos, former chief security officer at Facebook and Yahoo, on Twitter. "Apple has a reputation of not allowing their security team interact with the community, hopefully this is a fresh start."
Top Bounty: $1 Million
The maximum reward has been upped to $1 million for one of the most dangerous kinds of software flaws: a kernel-level vulnerability that requires no interaction on behalf of the victim and persists. There's also a menu of increased awards for various other problems.
Apple's new bounty program(includes macOS) and 0-click JB = $1,000,000~ pic.twitter.com/AH6Df0GTPa— iFenix (@iFenixx) August 8, 2019
Researchers can also apply to gain access to pre-release software. Also, vetted researchers will be allowed inside access to Apple's iOS, including devices that come with SSH, a root shell and advanced debugging capabilities, according to a slide from Krstić's presentation that was posted on Twitter.
The program will be open to "everyone with a record of high-quality systems security research on any platform," the slide says.
iOS security research device program! pic.twitter.com/4NsKH1DMGd— Jesse D'Aguanno (@0x30n) August 8, 2019
The bug bounty program will also cover a range of Apple products, including macOS, iCloud, tvOS, iPadOS and watchOS. The current program only covers iOS and iCloud, Apple's storage and backup service.
The highest previous bounty was $200,000, which was for a flaw in secure boot firmware components. Researchers also had to be invited to the bug bounty program, which by design narrowed participation.
The announcement drew praise, including from Patrick Wardle, an Apple security expert and principal security researcher with Jamf.
Kudos to Apple for launching an open, comprehensive, competitive, bug-bounty program!— patrick wardle (@patrickwardle) August 8, 2019
Sure this mutually benefits security researchers & Apple, but end users should be also stoked on the increased security this brings...now off to submit bugshttps://t.co/VKN5Y4LUxv
Bug Bounties Expand
Bug bounty programs are becoming expansive thanks to management services offered by third-party companies. Compared to five years ago, software companies have become more generous with rewards, seeing value in a crowdsourced approach.
Also, bug bounty programs have helped reduce friction between researchers and companies. In the past, bug disclosures have resulted in legal threats against researchers who went public, sometimes out of frustration as to how their findings were received.
Experts have said that bug bounty programs often result in improved security because they draw more eyes on to the code, increasing the chances that security flaws may be found before one is exploited by cybercriminals, nation-states or other actors.
"Apple is doing some _smart_ stuff," writes Thomas Ptacek, a security researcher and principal at Latacora. "Developer unlocked devices for security researchers. Bounty premiums for findings in beta releases; partly flips the script on the economics of vulnerabilities."
Apple launched its bug bounty program only three years ago. The company has sought to distinguish itself over competitors in the security and privacy realms, so it makes sense to broaden the bug bounty's scope.
Also, the improved rewards provide more of an incentive for researchers to turn over information about a flaw to Apple rather than third-party vulnerability dealers. Concerned have been raised over whether those companies are using exploits in ethically questionable scenarios, such as against human rights activists.