Apple Upgrades Bug Bounty Program: Adds Macs, $1M Reward

black hat 2019

Apple is opening its once-private bug bounty program to all researchers, as well as boosting vulnerability payouts and expanding the product scope to include MacOS.

LAS VEGAS – Apple is giving its bug bounty program a much-needed makeover.

The device manufacturer in a Thursday Black Hat USA 2019 session said it will open the historically private program to all researchers in the fall. In addition, it plans to drastically boost some rewards for vulnerabilities found in its devices – including a $1 million payout – and adding a much-wanted program for its Mac devices.

Apple researchers say that the announcement poses a drastic – and welcome – change from Apple’s existing bug bounty program, announced in 2016 at Black Hat, which has been invite-only, with rewards only as high as $200,000 and limited in-scope products.

“It’s really great to see Apple really stepping up… I see this as a pivotal point where Apple is fully embracing the external research community,” Patrick Wardle, security researcher with Jamf, told Threatpost.

In addition to opening up Apple’s bug bounty program, Ivan Krstic, head of Apple Security Engineering and Architecture, on Thursday said that the company is now offering bug bounty programs for macOS, tvOS, watchOS, and iCloud, and increasing payouts for some devices. These new features have all been suggested by security researchers who have worked with Apple in the past, said Wardle.

While previously, Apple’s maximum payout was $200,000 for finding vulnerabilities in hardware like secure boot firmware components, now, it’s bumping up those rewards, offering a hefty reward of $1 million for a network attack with no user interaction that could lead to zero-click kernel code execution with persistence.

Apple has also raised the value of rewards for other attacks, including $500,000 for network attacks with no user interaction leading to zero-click access to high-value user data, as well as several rewards of $250,000. Apple also said that it would give a 50 percent bonus for finding vulnerabilities in pre-release software.

Apple also confirmed a report from earlier this week that it will give security researchers special iPhones that will make it easier for them to find weaknesses in its smartphone, in a new program called “iOS Security Research Device Program.” The phone will have special features – such as advanced debug capabilities –  and will be available to researchers next year.

The program announcements also come a year after a Black Hat session last year during which prolific Google bug hunter Ian Beer criticized Apple for how it handles iOS security. He said the company suffers from an all-too-common affliction of patching an iOS bug, but not fixing the systemic roots that contribute to the vulnerability: “Undeniably these people have really strong engineering security skillsets. But, they don’t have an exploitation background… Their focus is on the design of the system and not on exploitation,” he said. “Please, we need to stop just spot-fixing bugs and learn from them, and act on that.”

However, security experts hope that this week’s change is indicative of a closer relationship between Apple and the research community.

“One of the past criticisms of Apple’s security posture… the scope of their bug bounty program was narrow, it didn’t pay out enough, it was closed,” Wardle told Threatpost. “So as an independent security researcher this is hugely welcoming news.”

Facebook’s former chief information security officer, Alex Stamos, for his part, took to Twitter to praise the program: “Apple has a reputation of not allowing their security team interact with the community, hopefully this is a fresh start.”

https://twitter.com/alexstamos/status/1159560414968991745

During Apple’s session at Black Hat, called “Behind the scenes of iOS and Mac Security,” the company also dove into an array of other security measures surrounding its product lineup, including a “Find My” feature in iOS 13 and macOS Catalina that enables users to receive help from other nearby Apple devices in finding their lost Macs, as well as the secure boot capabilities of the T2 Security Chip in Macs.

Black Hat USA 2019 has kicked off this week in Las Vegas. For more Threatpost breaking news, stories and videos from Black Hat and DEF CON, click here.

Suggested articles