Apple on Thursday introduced its first bug bounty program, set to launch in September.
Ivan Krstic, head of Apple security engineering and architecture, announced the program during his presentation at Black Hat security conference in Las Vegas.
The focus reportedly is on an exceptionally high level of service, and on quality over quantity. Participation in the program initially will be by invitation only, and it will be limited to a select group of researchers.
However, Apple plans to work with other researchers on a case-by-case basis, and the company reportedly will expand the program over time.
The bug bounty program “signifies how important it is to have community-based security versus an exclusive in-house security program,” noted Chenxi Wang, chief strategy officer at Twistlock.
“To their credit [Apple] have done a great job in the quality and security of their software,” she said, “but even Apple can’t do it alone. They need the collective brain power of the hacking community to help.”
Apple will offer these bounties:
- Up to US$200,000 for vulnerabilities in boot firmware components;
- Up to $100,000 for flaws that allow the extraction of confidential material from the Secure Enclave Processor;
- Up to $50,000 for vulnerabilities allowing the execution of arbitrary code with kernel privileges, or those that allow unauthorized access to iCloud account data on Apple servers; and
- Up to $25,000 for flaws that enable access from a sandboxed process to user data outside that sandbox.
Apple also may reward researchers who share an exceptional, critical vulnerability outside of the five categories listed.
“With programs like this, there are two approaches,” said Rob Enderle, principal analyst at the Enderle Group. “One is to actually find problems and fix them; the other is to use the program to create the impression you’re secure by providing big bounties to do things you believe can’t actually be done.”
Apple’s bounty program “appears to be the latter case, which is why [it’s] both so restrictive and has such seemingly large bounties,” he said. “This appears mostly targeted at undoing the damage the FBI did to Apple’s security reputation when they broke into an iPhone some time ago.”
The iPhone belonged to terrorist Syed Farook, who with his wife carried out a mass shooting in San Bernardino last year.
After filing an unsuccessful lawsuit to get Apple to unlock that device, the FBI paid a third party to do so.
News of the hacking raised concerns about the security of Apple devices, because “it showed that Apple can be breached,” said Michael Jude, a program manager at Stratecast/Frost & Sullivan.
“Apple’s now in an arms war with the government,” he said. “They need to improve security quickly and show people they’re taking it seriously. By engaging independents, [Apple] can … provide an even stronger incentive to work within its community.”
Loosening Its Grip
Apple “has been reasonably successful in producing tightly controlled platforms and software, but, as their ecosystem grows and device capabilities grow, even they could use help,” said Twistlock’s Wang. “They waited so long because of their need to control everything.”
That need is based partly on Apple’s protectiveness of its intellectual property, over which it has fought several battles in court.
“Apple’s very sensitive about their IP, [and] I understand why they’re opening up [the bounty program] to a select few,” Wang said.
Apple users will be the ultimate beneficiaries of the bug bounty program, because “their information and data, and their devices, will be more secure,” said Enderle.
Hackers who discover bugs under the program will gain fame and money, Frost’s Jude suggested.
“For most hackers, the notoriety is at least as important as the money,” he said. “Someone who can say they located a bug in Apple software can pretty much write their own ticket.”
1,729 total views, 2 views today