Apple joins the bug bounty party with $200,000 top prize
Cupertino will match bounties if hackers donate them to charity
Black Hat Security researchers can win up to US$200,000 in Apple's new bug bounty program, announced by the company on Thursday at the Black Hat security convention in Las Vegas.
“We’ve had great help from researchers like you and the security mechanisms we build have gotten stronger,” said Apple’s head of security engineering and architecture Ivan Krstić. “The feedback that we’ve heard pretty consistently both from my red team and Apple and also directly is that it’s getting more difficult to find some of the most critical types of security vulnerabilities.”
The program will be invite-only initially, Krstić told the crowd, with a “few dozen” researchers participating. However, if a researcher turns up an interesting bug and provides a full report and a proof of concept that is accepted by Apple engineers then they will get a payout.
To get the maximum payout you’ll need to provide a flaw in the secure boot firmware that so irritated the FBI, while a crack that can extract confidential data protected by a phone or tablet’s secure enclave processor (SEP) will yield a prize of up to $100,000.
If you can execute arbitrary code with kernel privileges on iOS the maximum award of $50,000, with the same sum available to anyone who gets unauthorized access to iCloud account data on Apple’s servers. There’s also $25,000 up for grabs if you can get access from a sandboxed process to user data outside that sandbox.
Krstić said that Apple engineers will examine reported flaws to determine their value before a payout. But if the developer chooses to give the money to charity instead of taking it themselves then Apple will match the donation dollar for dollar.
Bug bounty programs are widely used but Apple hasn’t previously joined in, despite protests from developers. At the event, it was clear the audience approved of the change of heart as the announcement was greeted with warm applause.
The Register asked Krstić if this new focus on recruiting security smarts was in any way related to its recent run-in with the FBI and the storm that brewed when Cupertino refused to play ball with the Feds.
“I’m an engineer,” he replied. “I’m happy to answer technical questions on what I’ve covered today.” Then he shut up. ®