Apple is opening its bug bounty program to all security researchers as well as expanding the systems they can be reported for. And hoo buddy, Apple is willing to slide them a pretty significant chunk of change for it, too.
Apple’s head of security for engineering and architecture Ivan Krstić tweeted the news Thursday (the move was previously announced at Black Hat this year). In a notice on its developer website, Apple notes the Security Bounty program for iOS, iPadOS, macOS, tvOS, or watchOS. As ZDNet noted, Apple’s bounty program was previously invitation-only and only extended to security issues with iOS.
In order to be eligible, the individual must be the first person to report the bug to Apple Product Security; they must hand over a report that includes a working exploit (Apple says it will only pay up to 50 per cent of the award without one); and they need to keep the issue under wraps until Apple makes an official security advisory. For this, they will be paid handsomely.
Now live!
????The new Apple Security Bounty! https://t.co/T4A2vTGSnM
????The new Apple Platform Security guide, featuring Mac for the first time!https://t.co/76qglenmif
(PDF version: https://t.co/8F4kb8izgD)
????My Black Hat 2019 talk: https://t.co/bqs6A3VAQ8
Happy holidays! ????
— Ivan Krstić (@radian) December 20, 2019
The maximum payout can be anywhere from $US100,000 ($144,962) for identifying lock screen bypasses and unauthorised access to iCloud data on the company’s servers to hundreds of thousands of dollars and up to $US1 ($1) million for various one-click and zero-click scenarios. According to Apple, there is a $US5,000 ($7,248) minimum payout across its various categories. And sure, Apple may be playing catch-up here. But this is a lot of money, even by the standards of other bounty programs.
The highest payout listed on Microsoft’s bug bounty page, for example, is a $US300,000 ($434,885) award for finding a vulnerability related to its cloud service, Azure, and Microsoft pays a fraction of what Apple does for a zero-click. Google, however, does offer up to $US1 ($1) million for identifying an exploit related to the Pixel Titan M and matches Apple’s $US100,000 ($144,962) reward for lock screen bypass.
Not sure how researchers will react to this requirement for fully functional exploits alongside Apple bug bounty reports https://t.co/frSE5ZH8yb pic.twitter.com/H6ps9txZKc
— Ryan Naraine (@ryanaraine) December 20, 2019
Apple’s bug bounty program has been a pain point for security researchers for quite a while. A security researcher who discovered a macOS Keychain exploit earlier this year, for example, engaged in something of a public standoff with the company over is glaring lack of a bounty program for systems beyond iOS. The company in the past has also faced criticism for low payouts for valuable bugs—though payouts have since increased.
The bar, however, “is set pretty high in terms of deliverables,” Jamf’s principal security researcher, Patrick Wardle, told ZDNet. So if this was your get rich quick scheme, well, good luck.