Bug bounty programs enable security researchers and volunteer hackers to use their skills for good. They incentivise people to find bugs in a company’s products, offering cash rewards in return for detailed reports on vulnerabilities and exploits. These bugs could otherwise have catastrophic consequences if discovered first by malicious hackers.
The launch of Apple’s program has been long anticipated by people who already spend time finding weaknesses in its software. Companies including Google and Facebook have been running their own schemes for years. When Microsoft debuted its own program in 2013, it was criticised by some for arriving late. Three years further on, Apple’s announcement is long overdue.
The company said it is entering the game now because it is finding it increasingly harder to find bugs on its own. It is now open to receiving all the help it can get to find bugs in software like iOS, particularly as it still hasn’t ascertained how the FBI cracked the iPhone’s encryption mechanisms earlier this year.
Apple is starting small with the program, based on advice that other companies have given it. Initially, only a small selection of security researchers who have found vulnerabilities in the past will be able to contribute. This limitation will ensure Apple can keep a handle on the early reports and ensure the system runs smoothly. Later on, it will widen the scheme and allow anyone to participate.
Bounties will be awarded based on the severity of the vulnerability and the number of Apple customers likely to be affected by a successful exploit. Only bugs affecting iOS devices and iCloud online storage will be eligible for a reward to begin with.
The highest bounties will be awarded to people who successfully bypass Apple’s Secure Boot firmware on iOS. This mechanism prevents the operating system from loading if malicious software is detected. Avoiding this system would allow an attacker to inject malware into the heart of the OS, giving them unrestricted access to a user’s files. Demonstrations of exploits that achieve this will be awarded the full bounty of up to $200,000, the largest award for a single bug offered by any current bounty scheme.
The next tier is for exploits that retrieve sensitive user information from the iPhone’s Secure Enclave, receiving up to $100,000. Attacks that allow the execution of malicious code with system privileges will be awarded up to $50,000. Those that access user data while operating in a supposedly secure sandbox will be eligible for a bounty of up to $25,000. Finally, unauthorised access to iCloud user data stored on Apple’s servers will receive up to $50,000.
To obtain a pay-out, participating researchers will need to provide Apple with a functioning proof-of-concept exploit that is compatible with the latest released version of iOS. Attacks against an iPhone’s hardware, such as a Secure Enclave vulnerability, must be based on the latest models of the device currently shipping to customers.
While the program is not without its limitations, it does represent a big step forward for Apple. The company has always accepted proof-of-concept attacks from researchers and given individuals credit in its security update release notes. For the first time, it is now actively encouraging people to find flaws in its products, falling into line with the rest of the industry, dropping its complacency in its reputation for strong security.
The scheme will go live in the fall, allowing Apple to strengthen the security of its devices through active community involvement. As an added incentive to researchers, the company is even offering to double pay-outs if a participant donates their bounty to charity, potentially leading to $400,000 being awarded for a single bug.
