A bug bounty program is one in which hackers from around the world converge to try to hack the systems of the company or organization holding the event. The hacking is not done with a bad intention, but is done to discover whatever vulnerabilities might exist in such systems, and the hacker(s) who discovers any such vulnerabilities goes home with a prize, usually cash proportional to the security and risk level of the bug discovered. Bug bounty programs are done to encourage more hackers to stop black-hat hacking and expose vulnerabilities in operating systems to the company manufacturing it.
Most big tech companies already have their own bug bounty programs, but over the years, Apple has managed to stand out in this regard as it does in its operating systems; it doesn’t have a bug bounty program. Well, that was until last week, when Apple’s head of security engineering and architecture, Ivan Krstic, announced at the Black Hat event that Apple would start rewarding hackers and security researchers who discover any security risk or vulnerability in its products.
The announcement came as a great surprise to the people present at the Black Hat event and tech watchers, because most of Apple’s security announcements are made at its WWDC event, and the last time an Apple representative spoke at the Black Hat event was four years ago.
Apple’s reason for refusing to launch its bug bounty program until now is the high level of patronage hackers get from government agencies and black markets for security flaws. I’m sure what was in the mind of the Apple representative that announced that was the FBI-Apple battle that played out months ago, in which FBI eventually bought the tool with which it hacked into the Sans Bernardino shooter’s iPhone for nearly $1 million from a private security firm.
There are five categories of uncovered-bug-to-reward ratio in the Apple Bug Bounty Program:
|Vulnerabilities in secure boot firmware components||Up to $200,000|
|Vulnerabilities that allow extraction of confidential material from Secure Enclave||Up to $100,000|
|Executions of arbitrary or malicious code with kernel privileges||Up to $50,000|
|Access to iCloud account data on Apple servers||Up to $50,000|
|Access from a sandboxed process to user data outside the sandbox||Up to $25,000|
The Apple bug bounty program will be launched in September, and at first, participation would be on an invitation-only basis, and the program will be open only to researchers who have previously disclosed tangible vulnerabilities to Apple. New researchers won’t be turned away, however, as long as they make and provide useful security disclosures. Apple plans to expand the program slowly, in order to avoid an influx of reports that could overshadow important security discoveries should the program be opened to all and sundry at launch.
For researches to be able to claim the prize for a disclosure, they will have to follow the usual procedure; provide a proof-of-concept based on the latest software in question (which is iOS in this case) and the latest hardware compatible with the software. The exact amount won would be determined by some security factors like clarity of report, risk to users of the software, and others. The final decision will be taken by Apple. The tech giant also plans to encourage winners of its bug bounty to decorate their rewards to charity; if a winner decides to do so and his/her chosen charity institution is approved, Apple will double the reward that person gets and it would all be donated to charity.
It has been announced, and there is no going back. Apple Bug Bounty Program is here, and is launching in September. iOS developers can now dust their hacking tools and get to work, because the competition’s gonna be stiff from now on.