Apple's expanded bug bounty program covers all operating systems, payouts up to $1M, speci...

Posted:
in macOS edited August 8
Apple is opening its bug bounty program to cover all of its operating systems, with the company expanding and improving the scheme to pay researchers for finding bugs in macOS, watchOS, tvOS, iPadOS, and iCloud, along with the current payouts for iOS issues. Also new are special iPhones that will help select researchers surface vulnerabilities.

Black Hat 2019
Apple's new Security Bounty Program raises payouts. | Source: Trademarq via Twitter


Rumored in a report on Monday and announced during the Black Hat conference by Apple's head of security engineering and architecture Ivan Krstic, the bug bounty system has been expanded to cover Apple's other operating systems. For the first time, Apple is defining levels of payments that will be provided to security researchers who disclose vulnerabilities they find in macOS, with similar schemes also created for other platforms, including watchOS and tvOS.

The bounties also cover iPadOS, the offshoot from iOS, as well as issues with iCloud.

Payouts
+ 50% bonus for bugs in prerelease builds pic.twitter.com/eGHoTUAb4Y

-- Jesse D'Aguanno (@0x30n)


During the conference, Apple provided a list of maximum possible payouts for finding issues, scaling with the difficulty of the attack. On the lower end of the maximum payment scale for iOS are items like unauthorized access to iCloud account data on Apple servers, a lock screen bypass using physical access and unauthorized access to high-value user data using a user-installed app, with each earning the finder $100,000 at most.

On the other end of the range are more difficult tasks, including a CPU side-channel attack on high-value user data via a user-installed app, one-click kernel code execution via a network attack requiring user interaction, and a zero-click radio to kernel attack with physical proximity without user interaction, with each earning up to $250,000.

A vulnerability providing zero-click access to high-value user data over a network without user interaction offers a maximum payout of $500,000. At the top of the list is a full-chain kernel code execution attack that can persist, performed without a user's interaction at all, which can pay out up to $1 million.

Furthermore, if a researcher finds a vulnerability in a pre-release beta build that is reported to Apple ahead of its public release, they stand to earn a bonus of up to 50% on top.

At a maximum possible earnings of $1.5 million with the pre-release bonus, the bug bounty is a considerable step up in payments for Apple. Previously the maximum possible payment was $200,000.

Security researchers will be able to apply for the bug bounties later this year. The program will also open up to all researchers this fall, rather than a limited number of security experts approved by the iPhone maker.

Apple also used its Black Hat presentation to confirm it will offer "dev devices" to a selection of trusted researchers as part of the iOS Security Research Device Program. The iPhones will be set up with permissions to provide more access to the inner workings of iOS, a move which could help increase the number of issues caught before they appear in beta or public-release software.

The expansion of the bug bounty system is likely to be welcomed by security researchers such as Linus Henze, who earlier this year provided Apple with full details of a Keychain security exploit he discovered. His initial demand in February required Apple to provide an official statement for why a macOS bug bounty program didn't exist, but he later decided to hand it over to keep macOS secure.

Apple first introduced a bug bounty scheme in 2016, offering to pay researchers for finding exploits and flaws in iOS that could defeat the security of iPhones and iPads. Throughout its lifetime, there have been complaints about Apple failing to make a similar program that works across its other operating systems.
applesnoranges

Comments

  • Reply 1 of 8
    Good.
  • Reply 2 of 8
    It's about time
  • Reply 3 of 8
    rob53rob53 Posts: 2,074member
    I hope Apple doesn't include anyone with any ties to the NSA, FBI, CIA or Homeland Security in this program because we all know their idea of securing Apple devices is to figure out how to insert a backdoor. 
  • Reply 4 of 8
    seanismorrisseanismorris Posts: 1,043member
    rob53 said:
    I hope Apple doesn't include anyone with any ties to the NSA, FBI, CIA or Homeland Security in this program because we all know their idea of securing Apple devices is to figure out how to insert a backdoor. 
    That doesn’t make any sense...

    Someone reports the vulnerability, then Apple provides the fix.

    You might be thinking of encryption algorithms... 

    Or,
    The alphabet soup agencies do stockpile vulnerabilities (don’t report them) in preparation for “cyber warfare” and for their hacking toolkits.  Multiple times those toolkits have ended up in the hands of criminals...
    edited August 8
  • Reply 5 of 8
    rob53 said:
    I hope Apple doesn't include anyone with any ties to the NSA, FBI, CIA or Homeland Security in this program because we all know their idea of securing Apple devices is to figure out how to insert a backdoor. 
    I doubt anyone from those alphabet organizations would be participating.  If anything they would be hording any vulnerabilities they could get their hands on.  Anything they got would never see the light of day.
  • Reply 6 of 8
    dewmedewme Posts: 2,125member
    rob53 said:
    I hope Apple doesn't include anyone with any ties to the NSA, FBI, CIA or Homeland Security in this program because we all know their idea of securing Apple devices is to figure out how to insert a backdoor. 
    Zero day vulnerabilities are worth much more to those government agencies than anything Apple is going to pay in a bug bounty program. They also don't want any public or private attention paid to what they are doing. In all likelihood, Apple placing a higher price tag on bug bounties is simply going to increase the black market value of vulnerabilities and agencies with unlimited access to unbounded and untraceable funds are simply going to pony up whatever it takes to always be the highest bidder. 
  • Reply 7 of 8
    orthorimorthorim Posts: 151member
    Multiple times those toolkits have ended up in the hands of criminals...

    ... except they're already in the hands of criminals

  • Reply 8 of 8
    waltgwaltg Posts: 90member
    rob53 said:
    I hope Apple doesn't include anyone with any ties to the NSA, FBI, CIA or Homeland Security in this program because we all know their idea of securing Apple devices is to figure out how to insert a backdoor. 
    You must have something to hide to make this statement, or just too rapped up into the “government is watching me” hype... Personally I’ve got entirely too much to do to worry about that silliness...
Sign In or Register to comment.