Apple Opens Bug Bounty Program to All, Changes Payout Structure
At Black Hat, the head of Apple’s Security Engineering team announced new enhancements to its bug bounty program, including one vulnerability that could fetch a researcher $1M.
Apple, long regarded as being one of the more mysterious big tech companies, may slowly be lowering the veil.
Back in 2016, Ivan Krstić, Head of Apple’s Security Engineering and Architecture team, peeled back the layers on how the company's Secure Enclave Processor, the cryptographic system that protects user data on iOS devices, works. The session, which was standing room only, gave what many considered unprecedented access to technical details and security mechanisms at the company.
Krstić returned to the conference this year, on Thursday, to share that the company is opening its bug bounty program, once invite only, to all researchers. Furthermore, Apple announced it would be expanding bounty targets. While the program was initially limited to vulnerabilities in iOS, starting this fall, bug hunters will be able to identify vulnerabilities in iCloud, tvOS, iPadOS, watchOS, and macOS, in addition to iOS.
With the increased surface area comes much higher payouts. Krstić said Thursday the company will pay out $1 million for attacks that don't need user interaction to be carried out, like an zero click kernel attack that can lead to code execution with user persistence. The company, similarly, said it’d paid $500,000 for any attack that can lead to zero click access to high value user data.
The dollar figures are more than double what Apple was previously offering for vulnerability details. Under the first iteration of the bounty program, the bounties maxxed out at $200,000.
Here’s the full rundown of bug disclosure payouts:
- Lock screen bypass: $100,000
- User data extraction: $250,000
- Unauthorized access to high-value user data: $100,000
- Kernel code execution: $150,000
- CPU side-channel attack on high-value data: $250,000
- One-click unauthorized access to high-value user data: $150,000
- On-click kernel code execution: $250,000
- Zero-click radio to kernel with physical proximity network attack: $250,000
- Zero click access to high-value user data: $500,000
- Persistent full-chain kernel code execution attack without user interaction: $1,000,000
Chaouki Bekrar, the founder and CEO of Zerodium, a high-risk zero-day exploit acquisition firm, lauded the move last week and congratulated Apple for paying researchers "the right price for their hard work."
While Krstić didn’t give a time frame, outside of this fall, on when the enhancements to the program would roll out, it wouldn’t be a huge surprise to see them land at the end of September, around the same time the company is planning to debut iOS 13, first teased back in June.
While Apple is planning on opening its bug bounty program to all, the company will apparently still maintain a private research program for researchers. The company also confirmed last week the existence of the iOS Security Research Device Program, an initiative it plans to kick off next year in which it will supply researchers with developer devices to make it easier to for them to ferret out bugs in the phones. In his talk Krstić said the phones would come with ssh, a root shell, and advanced debug capabilities.