Apple announces expanded security bug bounty program up to $1 million; plans to release iOS Security Research Device program in 2020

Apple made some major announcements at the Black Hat cybersecurity conference 2019 which concluded yesterday, in Las Vegas. Apple’s head of security engineering, Ivan Krstić announced that anybody who can hack an iPhone will get up to $1 million reward. They have also released a new payout system for security researchers, depending on the type of vulnerability found by them.

Krstić also unveiled Apple’s new iOS Security Research Device program, which will be out next year. As part of the program, qualified security researchers will be provided with special iPhones to find out flaws in them.

Apple expands its Security bug Bounty program

Apple first launched its bug bounty program, in 2016. The previous bug bounty program consisted of $200,000 and included only those involved in Apple’s invite-only bug bounty program.

Yesterday, Apple announced that, per Apple’s new security bug bounty program, anyone who can hack an iPhone will receive up to $1 million. Also, the security bounty program has been opened to all security researchers. It will include all of Apple’s platforms, including iCloud, iOS, tvOS, iPadOS, watchOS, and macOS.

 

Apple has also released a new payout system with the payouts starting from $100,000 for finding a bug that allows lock screen bypass or unauthorized access to iCloud. Researchers can also gain up to 50% bonus if they find any bugs in a pre-released software. The top payout is booked for hackers who can discover a zero-click kernel code execution with persistence.

 

Apple’s new iOS Security Research Device program

Apple gave out details about its new iOS Security Research Device program, which will be out next year. In this program, Apple will be supplying special iPhones to security researchers to help them find security flaws in iOS. However, this the iOS security research device program is available only to researchers who have great experience in security research on any platforms.

The special devices will be different from the regular iPhones, as it will come with ssh, a root shell, and advanced debug capabilities to ensure identification of bugs. “This is an unprecedented fully Apple supported iOS security research platform,” said Krstić at the conference.

Though many users have praised Apple for the great money and initiating the security research device program, few also opine that this is not so huge. Given the kind of knowledge and expertise required to find these bugs, there are suggestions that Apple should consider paying these hackers more as they are the ones saving Apple from a lot of negative P.R. Also, they found a bug, which even the Apple employees are sometimes unable to find.

A user on Hacker News comments, “1M is a lot of money to me, a regular person, but when you consider that top security engineering talent could be making north of 500k in total compensation, 1M suddenly doesn’t seem all that impressive. It’s a good bet to make on their risk. Imagine paying a mere 1M to avoid a public fiasco where all of your users get owned. This just seems like good business. They could make it 5M, and it would still be worth it to them in the medium to long term.”

Another user says, “I’m surprised by how cheap the vulnerabilities market is. A good exploit, against a popular product like Chrome, selling for 100k or even $1M may sound like a lot, but it’s really pennies for any top software firm. And $1M is still a lot for a vulnerability by market prices.”

Another comment on Hacker News reads, “When I read the article, my first reaction was “Only a million?” Considering the importance of a bug like this to Apple’s business and the size of their cash hoard, this sounds like they don’t actually care that much.”

Leave a Reply

Your email address will not be published. Required fields are marked *