Apple to reportedly provide 'dev device' iPhones for bug hunting, introduce Mac bounty
Apple will furnish vetted security researchers special iPhone variants in efforts to suss out hardware and software vulnerabilities, according to a report on Monday that also claims the company intends to institute an official bug bounty program for Mac in the coming weeks.
Apple's Ivan Krstic announces the bug bounty program at Black Hat USA 2016.
Citing people familiar with Apple's plans, Forbes reports special iPhone hardware will be supplied to participants of the tech giant's invitation-only bug bounty program.
Details are scarce, but sources describe the iPhones as "dev devices" that offer researchers far more latitude in probing for iOS vulnerabilities than common consumer variants. While not quite as unrestricted as units supplied to Apple's own security team, the bug bounty handsets are expected to allow bug hunters to halt processor operations and inspect system memory while conducting targeted attacks, the report said.
Apple intends to protect its most prized code, however, as the report notes hackers are unlikely to gain access to key iPhone firmware.
The report speculates Apple's decision to seed the special iPhones to bug bounty members stems from industry reactions to leaked dev devices. In the past, security researchers have benefitted from access to developer hardware, especially in surfacing crucial zero-day vulnerabilities.
Along with the dev device program, Apple is also expected to announce a new bug bounty program for macOS. Currently, the company limits its bug bounty to iOS -- its most important platform -- with payments ranging from $200,000 for exploits related to secure boot firmware components to $25,000 for less critical flaws.
Researchers have called on Apple to create a macOS bug bounty for years, but the company has shown little interest in following through with a formal program. Apple's stance on the issue was brought to the fore in February when German teenager Linus Henze uncovered a macOS Keychain exploit but refused to hand over details in protest. Henze ultimately divulged his findings, saying the vulnerability was too important to keep secret.
Sources say Apple plans to announce both the dev iPhone program and Mac bug bounty initiative at the Black Hat security conference this week. Apple's security engineering chief Ivan Krstic is scheduled to discuss iOS 13, macOS Catalina and more during a presentation on Thursday.
Apple's Ivan Krstic announces the bug bounty program at Black Hat USA 2016.
Citing people familiar with Apple's plans, Forbes reports special iPhone hardware will be supplied to participants of the tech giant's invitation-only bug bounty program.
Details are scarce, but sources describe the iPhones as "dev devices" that offer researchers far more latitude in probing for iOS vulnerabilities than common consumer variants. While not quite as unrestricted as units supplied to Apple's own security team, the bug bounty handsets are expected to allow bug hunters to halt processor operations and inspect system memory while conducting targeted attacks, the report said.
Apple intends to protect its most prized code, however, as the report notes hackers are unlikely to gain access to key iPhone firmware.
The report speculates Apple's decision to seed the special iPhones to bug bounty members stems from industry reactions to leaked dev devices. In the past, security researchers have benefitted from access to developer hardware, especially in surfacing crucial zero-day vulnerabilities.
Along with the dev device program, Apple is also expected to announce a new bug bounty program for macOS. Currently, the company limits its bug bounty to iOS -- its most important platform -- with payments ranging from $200,000 for exploits related to secure boot firmware components to $25,000 for less critical flaws.
Researchers have called on Apple to create a macOS bug bounty for years, but the company has shown little interest in following through with a formal program. Apple's stance on the issue was brought to the fore in February when German teenager Linus Henze uncovered a macOS Keychain exploit but refused to hand over details in protest. Henze ultimately divulged his findings, saying the vulnerability was too important to keep secret.
Sources say Apple plans to announce both the dev iPhone program and Mac bug bounty initiative at the Black Hat security conference this week. Apple's security engineering chief Ivan Krstic is scheduled to discuss iOS 13, macOS Catalina and more during a presentation on Thursday.
Comments
If this is true, I got 2 things. 1. Great 2. About goddamn time.
I might also ask about Photos auto-tagging (offer an off preference) and rolling out an implementation of S/MIME email encryption 'for the rest of us' that is free like the macOS apps, and given the efficacy already built in to both macOS and iOS...?
Looks like Apple is finally getting serious about security.
Now they just need to find out what’s up with Cellebrite...
There’s a vulnerability (there) being exploited that’s unknown to Apple. If someone knows it’s only a matter of time before criminals know.
But it's funnier to think of Cellebrite participating in some dark web vulnerability auction against a guy menacingly stroking a grumpy cat
Apple is (hopefully, if the rumor is true) finally showing Mac's the concern it should have been showing when it first intro'd bounty programs. Celebrate that instead of trying to kick dirt on others.