Why Apple’s bug bounty is a big deal
LAS VEGAS—Although Apple’s newly revealed bug bounty program for security professionals is rife with limitations, experts are applauding it as a major endorsement of modern security culture and practices.
In his announcement the program during a Black Hat presentation about new iOS security measures here last week, Ivan Krstic, Apple’s head of security engineering and architecture, said Apple’s bounty program will pay non-Apple employees up to $200,000 for finding and disclosing new vulnerabilities in its software. That sum is the highest corporate bounty currently on offer from any major tech firm, including Microsoft, Google, Facebook, Twitter, LinkedIn, and Mozilla, and double the highest bounty on offer from competitors.
“The Apple Security Bounty Program is going to reward researchers who actually share critical vulnerabilities with Apple,” Krstic told the crowd.
Bug bounty expert Katie Moussouris, who created Microsoft’s bug bounty program while employed there and subsequently served as chief policy officer at HackerOne, which helps companies set up bug bounties, says Apple’s bug bounty is a win for the company and hackers alike.
“Now that Apple is providing these rewards, the hackers with the skills to find these issues no longer need to choose between sending it to Apple to get the issues fixed and making money,” she says. “They can do both. This is a great step in the broad evolution of the defense market for vulnerabilities.”
Good for Apple doesn’t necessarily mean good for hackers. Although the security community at large has long lauded aspects of the company’s mobile operating system, it has not always had great relations with the Cupertino, Calif.-based tech titan. Krstic was the first official Apple representative to speak on stage at Black Hat in four years. But the tides seem to have changed.
“Once these vulnerabilities make their way to Apple and are fixed, the offensive products generated off the zero-day sales for the same vulnerabilities will become far, far less valuable.” — Casey Ellis, Bugcrowd founder
Although Apple hasn’t even announced the bounty’s official start date, hackers at Black Hat and beyond are celebrating the program as a validation of their independent security research practices. That may not sound like much, but considering that it is still illegal, in most cases, to report security vulnerabilities to the software vendor, the new program adds an important feather in the community’s cap.
In recent years, companies and government agencies as disparate as United Airlines, Uber, ING Group, and Fiat Chrysler Automobiles have started their own bug bounty programs. And as independent bug hunters become more in demand, longtime bounty programs such as Google’s have been forced to raise their bounties.
Like the Pentagon bug bounty that ran earlier this year, Apple’s comes with some tight restrictions. The company is inviting only several dozen hand-picked hackers to participate in the bounty, and it is directing them to find bugs only in specific areas.
Researchers who can find a way to escape the “sandbox” that isolates individual software processes from the rest of the computer will earn up to $25,000. Those who can access the iPhone’s core system functions or access iCloud user account data stored on Apple’s servers can earn up to $50,000. Those who crack open Apple’s Secure Enclave Processor, a secondary computer processor which prevents the phone’s main chip from accessing sensitive information, such as the Touch ID fingerprint reader controls, can earn as much as as $100,000. And finally, those who can hack into Apple’s secure boot firmware, which blocks jailbreaking the phone and installing unwanted apps, can earn as much as $200,000.
Moussouris, who says Apple has been working to develop its bounty program for “years,” doesn’t expect Apple’s strict criteria to last long. She’s confident that the company will “evolve and expand” its bug bounties, she says, “using feedback to tune these programs as they operate.”
Not everyone agrees that Apple’s move is good for independent hackers. Some say the bounties too low, when compared to those being paid on the lucrative bug bounty black market by government agencies and less scrupulous hackers.
Casey Ellis, founder of Bugcrowd, which helps companies create and manage their bug bounty programs, says he expects top black-market bounties for iOS exploits to drop.
“Once these vulnerabilities make their way to Apple and are fixed,” he says, “the offensive products generated off the zero-day sales for the same vulnerabilities will become far, far less valuable.”
The illicit bug marketplace might already be seeing the predicted price drop for iOS bugs. Last year, Zerodium paid $1 million for an iOS exploit, and the U.S. government paid more than $1 million to the company that hacked into the iPhone of the San Bernardino, Calif., shooter. Just two days ago, by contrast, independent security company Exodus Intelligence capped its iOS bug bounty at $500,000.
Unpatched iOS vulnerabilities and exploits on the black market clearly are still king of the hill, when it comes to cash payouts. But that hill may have just gotten a lot less steep than it was a week ago.