Tech

Apple expands bug bounty to macOS, raises bug rewards

Apple also announces it will provide selected security researchers with access to special "hackable" phones.

Written by Catalin Cimpanu, Contributor Aug. 8, 2019 at 2:44 p.m. PT

See als

10 dangerous app vulnerabilities to watch out for (free PDF)

Three years after it launched its bug bounty program on the Black Hat 2016 stage, Apple returned today to the same security conference to announce it is expanding the program.

While initially Apple's bug bounty program covered only iOS bugs, starting later this year, the company will also accept vulnerability reports for macOS, watchOS, and tvOS.

Apple opening bounty program to all researchers
Expanding bounty targets pic.twitter.com/4iT9ILwpPX
— Jesse D'Aguanno (@0x30n) August 8, 2019

The expanded program will be open to all security researchers. Everyone will be able to report security bugs and receive a monetary reward from the Cupertino-based tech giant. Rewards will vary, depending on the vulnerability's impact and the damage it can do.

Speaking on stage at Black Hat today, Ivan Krstić, Apple's head of security, also announced a considerable increase in the rewards hackers are eligibe to make.

Currently, Apple is paying a maximum of $200,000 per vulnerabilities that can give attackers full control over an iOS device, with zero user clicks, from remote locations, and with code that executes in the iOS kernel.

Starting this fall, this maximum reward will be $1 million, and will also be available for macOS exploits, not just iOS.

But if researchers can't achieve this holy grail of exploitation scenarios, there are other types of vulnerabilities and scenarios that can bring up to $500,000 per bug report [see tweet embedded below].

Payouts
+ 50% bonus for bugs in prerelease builds pic.twitter.com/eGHoTUAb4Y
— Jesse D'Aguanno (@0x30n) August 8, 2019

In addition to these payouts, Apple is also offering a 50% bonus for bugs reported in pre-release builds. Through this unique offering, the company is hoping to prevent embarrassing or dangerous bugs from making it into final builds, where it may lead to attacks against its users, and where patching the vulnerable version may take weeks and months.

The iOS Security Research Device Program

Furthermore, as Forbes reported earlier this week, Apple is also launching a security research program through which it will provide a selected group of iOS researchers with special iPhones that are easier to hack.

These "pre-jailbroken" or "dev-fused" devices, as they're sometimes referred to, have existed for years at Apple, and have sometimes leaked out after being stolen/smuggled from Apple's China factories.

They have most security features disabled and are used by Apple employees to hunt bugs before prototypes are locked up and sent to mass-production.

Most of these devices end up on the black market, where they're sold for hefty prices, and sometimes end up in the hands of exploit brokers or zero-day sellers.

Now, Apple will be providing vetted white-hat security researchers with access to these devices, on purpose, to aid with hunting down bugs in its code.

Per a screenshot of Krstić's presentation, these special iPhones will provide access to a ssh daemon, a root shell, and advanced debug capabilities, not available in regular devices.

iOS security research device program! pic.twitter.com/4NsKH1DMGd
— Jesse D'Aguanno (@0x30n) August 8, 2019

Unlike its bug bounty program, the iOS Security Research Device Program, as it is named, will be invite-only; however, applications are open to everyone.