Apple boosts bug bounties but may not fix some bugs in past operating systems

Apple has opened up a bit about its product security, though the iGiant's slightly chattier demeanor, via a new security blog, may be appreciated less than its bug bounty upgrade.

The Apple Security Blog brings word of revised bug bounty awards, some topping out at twice the previous maximum payout. For example, "Zero-click radio to kernel with physical proximity" previously offered a payout of up to $250,000 and that sort of vulnerability is now eligible for up to $500,000.

Payouts are also subject to bonuses of up to 100 percent if they involve, for example, issues that allow Lockdown mode to be bypassed. So the theoretical maximum bounty for a zero-click remote attack chain, with full kernel execution and a PAC/PPL bypass with persistence on the latest iOS device while Lockdown mode was active, would be $2,000,000.

Apple in its blog post – attributed to Apple Product Security rather than named authors – says it's responding more quickly to bug reports and providing more feedback to those submitting reports. But accessing its new real-time status updates still requires an Apple ID.

"Just sign in with your Apple ID and follow the prompts to send us a detailed report," Apple Product Security says. "You can then track the progress of your report and communicate securely with Apple engineers as we investigate."

While the new regime falls short of the transparency of community resources like Open Radar – arguably necessarily so for security-related reports – it's an improvement over sending email to Apple and then hearing nothing back.

Apple is also launching a Security Device Research Program. Applications are now open and will be accepted until November 30. Those admitted into the program will receive a Security Research Device (SRD), "a specially fused iPhone that allows you to perform iOS security research without having to bypass its security features."

The SRD, Apple's answer to Corellium, is available on a 12-month, renewable basis, though only to those in 52 eligible countries, along other limitations.

The iBiz is also making security updates more frequent with Rapid Security Responses (RSR), a software delivery mechanism to be added to future updates of iOS 16, iPadOS 16.1, and macOS 13.

RSR bug fixes will arrive with minor OS updates and won't require a restart unless they touch the underlying operating system. They're designed not to be affected by delays imposed by device management software, though that can be configured.

Upgrade or suffer

At the same time, Apple has declared a limit on its willingness to support non-current operating systems with security updates. In conjunction with the release of macOS Ventura, the iPhone maker says that older operating system versions may not receive fixes for all known security issues.

"Because of dependency on architecture and system changes to any current version of macOS (for example, macOS 13), not all known security issues are addressed in previous versions (for example, macOS 12)," the company explained in a support document published this week.

Apple demonstrated its willingness to ignore older but still supported operating systems back in April when it patched two actively exploited vulnerabilities in macOS Monterey but left users of previous supported macOS releases without a fix. At the time, Joshua Long, chief security analyst at Intego, said that was "the first time since the release of macOS Monterey that Apple has neglected to patch actively exploited vulnerabilities for Big Sur and Catalina."

The Register asked Apple whether its newly articulated policy reflects past practice or is something new. Apple did not respond, confirming the security community's major gripe about the secretive company: a lack of communication.

Microsoft's stated policy for critical security updates is that they "are made available for products until the published Extended Support end date." As a point of comparison, Windows 8.1 was released on October 17, 2013 and support is scheduled to end on January 10, 2023.

• Google, Apple squash exploitable browser bugs
• Apple perfects vendor lock-in with home security kit
• FAANGs failing on keeping user data safe from bug hunters
• Infosec chap: I found a way to hijack your web accounts, turn on your webcam from Safari – and Apple gave me $100k

Among security professionals, there's at least some appreciation that Apple spelled out its position.

"It's good that Apple has articulated its stance more clearly," said Patrick Wardle, cybersecurity researcher and founder of security non-profit Objective-See, in an email to The Register. "In the past it's been a bit confusing, and has led to inconsistencies."

Wardle pointed to an Intego presentation [PDF] given at Mac security conference Objective by the Sea last year. It notes that there were: 217 vulnerabilities patched for Big Sur (released 11/20), Catalina (released 10/19), and Mojave (released 9/18); 154 patched for only Big Sur; and 74 patched only for Big Sur and Catalina.

He added, "It's a bit problematic though that only the current version of the OS will be patched as users often don't upgrade for various reasons," citing concerns about compatibility and "rather draconian changes" like app notarization.

Wardle said from a security point of view, it's always better to be running the latest version of any software.

"If you take Apple’s statement at face value, they’re saying that they won’t address 'known security issues' in previous versions," said Feross Aboukhadijeh, an open source developer and CEO of security biz Socket, in an email to The Register. "This seems out of line with previous policy. In the past, Apple would patch known vulnerabilities in versions of macOS and iOS from previous years."

"My initial thought when reading this was that this must be sloppy writing," he said. "They could just be trying to say that if they know of a security issue in the latest OS but it’s not immediately apparent that it is also present in last year’s release, then they may not devote resources to confirming if it is present in older versions and then issuing a fix. If this is what they’re indeed saying, this may not be a policy shift for them at all." ®