Apple has been lagging competitors in providing financial incentives to report exploits, but recently, Apple’s security chief announced that the smartphone maker will pay for vulnerabilities found in certain aspects of iCloud and iOS. The payouts will be based on category and severity, and the program is by invitation only.
Apple starts invitation only bug bounty program
The top fees will range from $25,000 to $200,000 across five areas, but actual payments could be much lower. At the Black Hat security research conference in Las Vegas, Apple’s head of security engineering and architecture, Ivan Krstic, made the announcement during a presentation. According to those present at the conference, the presentation included technical details and disclosures of security related to HomeKit, iCloud Keychain and AutoUnlock, something that has been mostly absent from conferences in the past.
The fees offered may not be much, but they could help in convincing researchers to disclose issues and not to reveal them to others until the bugs are patched. Previously, people who found bugs or exploits went public after they thought sufficient time had passed without any updates from Apple.
Most of Apple’s rivals already run so-called bug bounty programs, in which hackers or researchers turn over what they know in exchange for a fee. The fees are usually paid in cash, and the hackers remain mute until the bugs are fixed. Some companies sponsor hacking events and pay out in equipment, cash or both for achieving a goal. Only Amazon is the exception among large Internet firms.
Five categories of bugs
Krstic listed five categories of bugs, and the top fee paid for each of the categories. MacOS is not covered as part of the program yet, said people who attended the conference. The five categories are: access from a sandboxed process to user data outside of that sandbox ($25,000 cap), execution of arbitrary code with kernel privileges ($50,000 cap), unauthorized access to iCloud account data on Apple servers ($50,000 cap), extraction of confidential material protected by the Secure Enclave Processor ($100,000 cap) and secure boot firmware components ($200,000 cap).
All these aspects represent important vectors for attack by criminals and governments alike. Jailbreaking software has used many methods of running arbitrary code even when iOS has never had bugs spread significantly in the wild. The makers of the Pangu jailbreak for iOS 9 (fixed in 9.2) explained how they achieved that kind of code execution in a separate Black Hat presentation.
Details in respect to the presentation are collected from reports from participants, and the Cupertino-based company has not posted any details yet, says Macworld. Even the presentation is not available online.