Apple Expands Bug Bounty, Increasing Max Reward to $1M

Application Security , Cybercrime , Endpoint Security

Open Arm Move Generates Praise From Security Experts

Apple Expands Bug Bounty, Increasing Max Reward to $1M

Apple is opening up its bug bounty program to more researchers, increasing the potential rewards and expanding the pool of qualifying products in a bid to attract tips on critical software flaws.

See Also: Webinar | Passwords: Here Today, Gone Tomorrow? Be Careful What You Wish For.

Ivan Krstić, head of Apple’s security engineering and architecture, announced the program on Thursday at the Black Hat security conference in Las Vegas.

Due to launch next year, the program will give vetted researchers special iOS devices that allow them to hunt for hard-to-find vulnerabilities. Security industry veterans praised the move, as Apple has been criticized for being somewhat aloof to outside researchers.

“Dear Apple PR: @radian did a fantastic job representing your brand today,” writes Alex Stamos, former chief security officer at Facebook and Yahoo, on Twitter. “Apple has a reputation of not allowing their security team interact with the community, hopefully this is a fresh start.”

Top Bounty: $1 Million

The maximum reward has been upped to $1 million for one of the most dangerous kinds of software flaws: a kernel-level vulnerability that requires no interaction on behalf of the victim and persists. There’s also a menu of increased awards for various other problems.

Researchers can also apply to gain access to pre-release software. Also, vetted researchers will be allowed inside access to Apple’s iOS, including devices that come with SSH, a root shell and advanced debugging capabilities, according to a slide from Krstić’s presentation that was posted on Twitter.

The program will be open to “everyone with a record of high-quality systems security research on any platform,” the slide says.

The bug bounty program will also cover a range of Apple products, including macOS, iCloud, tvOS, iPadOS and watchOS. The current program only covers iOS and iCloud, Apple’s storage and backup service.

The highest previous bounty was $200,000, which was for a flaw in secure boot firmware components. Researchers also had to be invited to the bug bounty program, which by design narrowed participation.

The announcement drew praise, including from Patrick Wardle, an Apple security expert and principal security researcher with Jamf.

Bug Bounties Expand

Bug bounty programs are becoming expansive thanks to management services offered by third-party companies. Compared to a decade or even five years ago, software companies have become more generous with rewards, seeing value in a crowdsourced approach.

Also, bug bounty programs have helped reduce friction between researchers and companies. In the past, bug disclosures have resulted in legal threats against researchers who went public, sometimes out of frustration as to how their findings were received.

Experts have said that bug bounty programs often result in improved security since they draw more eyes on to the code, increasing the chances that security flaws may be found before one is exploited by cybercriminals, nation-states or other actors.

“Apple is doing some _smart_ stuff,” writes Thomas Ptacek, a security researcher and principal at Latacora. “Developer unlocked devices for security researchers. Bounty premiums for findings in beta releases; partly flips the script on the economics of vulnerabilities.”

Apple only launched its bug bounty program three years ago. Apple has sought to distinguish itself over competitors in the security and privacy realms, so it makes sense to broaden the bug bounty’s scope.

Also, the improved rewards provide more of an incentive for researchers to turn over information about a flaw to Apple rather than third-party vulnerability dealers. Those companies have raise concern over whether exploits are being used in ethically questionable scenarios, such as against human rights activists.