Apple to reportedly provide 'dev device' iPhones for bug hunting, introduce Mac bounty

Posted:
in General Discussion edited August 5
Apple will furnish vetted security researchers special iPhone variants in efforts to suss out hardware and software vulnerabilities, according to a report on Monday that also claims the company intends to institute an official bug bounty program for Mac in the coming weeks.

Black Hat
Apple's Ivan Krstic announces the bug bounty program at Black Hat USA 2016.


Citing people familiar with Apple's plans, Forbes reports special iPhone hardware will be supplied to participants of the tech giant's invitation-only bug bounty program.

Details are scarce, but sources describe the iPhones as "dev devices" that offer researchers far more latitude in probing for iOS vulnerabilities than common consumer variants. While not quite as unrestricted as units supplied to Apple's own security team, the bug bounty handsets are expected to allow bug hunters to halt processor operations and inspect system memory while conducting targeted attacks, the report said.

Apple intends to protect its most prized code, however, as the report notes hackers are unlikely to gain access to key iPhone firmware.

The report speculates Apple's decision to seed the special iPhones to bug bounty members stems from industry reactions to leaked dev devices. In the past, security researchers have benefitted from access to developer hardware, especially in surfacing crucial zero-day vulnerabilities.

Along with the dev device program, Apple is also expected to announce a new bug bounty program for macOS. Currently, the company limits its bug bounty to iOS -- its most important platform -- with payments ranging from $200,000 for exploits related to secure boot firmware components to $25,000 for less critical flaws.

Researchers have called on Apple to create a macOS bug bounty for years, but the company has shown little interest in following through with a formal program. Apple's stance on the issue was brought to the fore in February when German teenager Linus Henze uncovered a macOS Keychain exploit but refused to hand over details in protest. Henze ultimately divulged his findings, saying the vulnerability was too important to keep secret.

Sources say Apple plans to announce both the dev iPhone program and Mac bug bounty initiative at the Black Hat security conference this week. Apple's security engineering chief Ivan Krstic is scheduled to discuss iOS 13, macOS Catalina and more during a presentation on Thursday.

Comments

  • Reply 1 of 8
    ...according to a report on Monday that also claims the company intends to institute an official bug bounty program for Mac in the coming weeks.

    If this is true, I got 2 things.  1. Great   2. About goddamn time. 
    caladanianseanismorrisMplsPcornchip
  • Reply 2 of 8
    ...I would ask if the general approach of (i)Cloud (as a concept) may be reasonably considered a vulnerability, strategically and simply by design...? Is there merit in offerings such as owncloud.com/private-cloud/ that suggest a distributed cloud may offer a more secure or at least less attractive and targetable option...?

    I might also ask about Photos auto-tagging (offer an off preference) and rolling out an implementation of S/MIME email encryption 'for the rest of us' that is free like the macOS apps, and given the efficacy already built in to both macOS and iOS...?

    edited August 6 cornchip
  • Reply 3 of 8
    Arina14Arina14 Posts: 10member
    I think it's a great idea if this is true. Hopefully, these initiatives will help minimize the number of shortfalls that plague Mac and iPhone users.
  • Reply 4 of 8
    seanismorrisseanismorris Posts: 1,015member
    ...according to a report on Monday that also claims the company intends to institute an official bug bounty program for Mac in the coming weeks.

    If this is true, I got 2 things.  1. Great   2. About goddamn time. 
    #2 *******

    Looks like Apple is finally getting serious about security.

    Now they just need to find out what’s up with Cellebrite... 
    There’s a vulnerability (there) being exploited that’s unknown to Apple.  If someone knows it’s only a matter of time before criminals know.
  • Reply 5 of 8
    ...according to a report on Monday that also claims the company intends to institute an official bug bounty program for Mac in the coming weeks.

    If this is true, I got 2 things.  1. Great   2. About goddamn time. 
    #2 *******

    Looks like Apple is finally getting serious about security.

    Now they just need to find out what’s up with Cellebrite... 
    There’s a vulnerability (there) being exploited that’s unknown to Apple.  If someone knows it’s only a matter of time before criminals know.
    Plot twist: Where do you think Cellebrite get's some of their vulnerabilities?  Dunh... dunh... duuuuuunnhh :o   Okay, I'm mostly just joking but it's not beyond the realm of possibility.  More likely though, Apple introduces new vulnerabilities every time they update the OS.  It's how software development works and why there's a ton of time devoted to betas... to get rid of as many bugs and vulnerabilities before pushing out the update.  Some are always missed - cuz human.

    But it's funnier to think of Cellebrite participating in some dark web vulnerability auction against a guy menacingly stroking a grumpy cat :D
    edited August 6 cornchip
  • Reply 6 of 8
    StrangeDaysStrangeDays Posts: 8,244member
    ...according to a report on Monday that also claims the company intends to institute an official bug bounty program for Mac in the coming weeks.

    If this is true, I got 2 things.  1. Great   2. About goddamn time. 
    #2 *******

    Looks like Apple is finally getting serious about security.

    Now they just need to find out what’s up with Cellebrite... 
    There’s a vulnerability (there) being exploited that’s unknown to Apple.  If someone knows it’s only a matter of time before criminals know.
    I’d hardly conclude they’re only now finally getting serious about security. Compare the number of serious vulnerabilities in Windows to OS X over the years. 
  • Reply 7 of 8
    ...according to a report on Monday that also claims the company intends to institute an official bug bounty program for Mac in the coming weeks.

    If this is true, I got 2 things.  1. Great   2. About goddamn time. 
    #2 *******

    Looks like Apple is finally getting serious about security.

    Now they just need to find out what’s up with Cellebrite... 
    There’s a vulnerability (there) being exploited that’s unknown to Apple.  If someone knows it’s only a matter of time before criminals know.
    I’d hardly conclude they’re only now finally getting serious about security. Compare the number of serious vulnerabilities in Windows to OS X over the years. 
    Pretty sure you knew the comment was about Apple's seemingly indifferent attitude regarding a bounty program for Mac OS vs it's early adoption of a program for iOS.  But hey, this was just another opportunity to point the finger "over there at somebody else" instead of honestly assessing what's in your own house.  We can't pass that up, amirite.

    Apple is (hopefully, if the rumor is true) finally showing Mac's the concern it should have been showing when it first intro'd bounty programs.  Celebrate that instead of trying to kick dirt on others.


    ctt_zhmuthuk_vanalingam
  • Reply 8 of 8
    dysamoriadysamoria Posts: 2,257member
    How about fixing userland non-security bugs too? We’ve been reporting some of these for well over SIX YEARS already.
Sign In or Register to comment.