Application Security , Cybercrime , Endpoint Security

Apple Expands Bug Bounty; Raises Max Reward to $1 Million

Company Will Give Some Security Experts Access to Special Devices
Apple Expands Bug Bounty; Raises Max Reward to $1 Million

Apple is opening up its bug bounty program to more researchers, increasing the potential rewards and expanding the pool of qualifying products in a bid to attract tips on critical software flaws.

See Also: OnDemand: 2024 Google Cloud Partner of the Year - Application and Infrastructure Security

Ivan Krstić, head of Apple’s security engineering and architecture, announced the changes last week at the Black Hat security conference in Las Vegas.

Due to launch next year, the program will give vetted researchers special iOS devices that allow them to hunt for hard-to-find vulnerabilities. Security industry veterans praised the move because Apple had been criticized for being somewhat aloof to outside researchers.

“Dear Apple PR: @radian did a fantastic job representing your brand today,” writes Alex Stamos, former chief security officer at Facebook and Yahoo, on Twitter. “Apple has a reputation of not allowing their security team interact with the community, hopefully this is a fresh start.”

Top Bounty: $1 Million

The maximum reward has been upped to $1 million for one of the most dangerous kinds of software flaws: a kernel-level vulnerability that requires no interaction on behalf of the victim and persists. There’s also a menu of increased awards for various other problems.

Researchers can also apply to gain access to pre-release software. Also, vetted researchers will be allowed inside access to Apple’s iOS, including devices that come with SSH, a root shell and advanced debugging capabilities, according to a slide from Krstić’s presentation that was posted on Twitter.

The program will be open to “everyone with a record of high-quality systems security research on any platform,” the slide says.

The bug bounty program will also cover a range of Apple products, including macOS, iCloud, tvOS, iPadOS and watchOS. The current program only covers iOS and iCloud, Apple’s storage and backup service.

The highest previous bounty was $200,000, which was for a flaw in secure boot firmware components. Researchers also had to be invited to the bug bounty program, which by design narrowed participation.

The announcement drew praise, including from Patrick Wardle, an Apple security expert and principal security researcher with Jamf.

Bug Bounties Expand

Bug bounty programs are becoming expansive thanks to management services offered by third-party companies. Compared to five years ago, software companies have become more generous with rewards, seeing value in a crowdsourced approach.

Also, bug bounty programs have helped reduce friction between researchers and companies. In the past, bug disclosures have resulted in legal threats against researchers who went public, sometimes out of frustration as to how their findings were received.

Experts have said that bug bounty programs often result in improved security because they draw more eyes on to the code, increasing the chances that security flaws may be found before one is exploited by cybercriminals, nation-states or other actors.

“Apple is doing some _smart_ stuff,” writes Thomas Ptacek, a security researcher and principal at Latacora. “Developer unlocked devices for security researchers. Bounty premiums for findings in beta releases; partly flips the script on the economics of vulnerabilities.”

Apple launched its bug bounty program only three years ago. The company has sought to distinguish itself over competitors in the security and privacy realms, so it makes sense to broaden the bug bounty’s scope.

Also, the improved rewards provide more of an incentive for researchers to turn over information about a flaw to Apple rather than third-party vulnerability dealers. Concerned have been raised over whether those companies are using exploits in ethically questionable scenarios, such as against human rights activists.

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.