Apple Falls In Line: Offers Bounties Up To $200K For iOS, iCloud

One team qualified for the $1 million bounty for a working, remote exploit or jailbreak for devices running Apples iOS 9 operating system, according to the security firm Zerodium.
One team qualified for the $1 million bounty for a working, remote exploit or jailbreak for devices running Apples iOS 9 operating system, according to the security firm Zerodium.

In-brief: Apple announced on Thursday that a new bug bounty program would pay researchers up to $200,000 for information on flaws in its iOS mobile operating system and iCloud service, joining the ranks of technology firms that offer cash for information on software vulnerabilities. 

Apple – the world’s most recognized and valuable technology brand – has finally joined the ranks of technology firms who will pay independent security researchers for finding vulnerabilities in their software, reports.

Ivan Krstic, Apple’s head of security engineering and architecture unveiled the program at The Black Hat Briefings in Las Vegas on Thursday, saying the company would pay rewards of up to $200,000 for five classes of bugs in iOS and iCloud.

The maximum reward of $200,000 is reserved for vulnerabilities and proof-of-concept code in the company’s secure boot firmware. Researchers who can extract confidential data from the iOS Secure Enclave Processor will earn  $100,000. The Cupertino company will pay $50,000 for code execution flaws that provide kernel privileges or allow unauthorized access to iCloud account information on Apple’s servers and $25,000 for vulnerabilities that allow a sandboxed process to ‘break out’ and gain access to user data outside that sandbox.

The $200,000 reward would be the largest public bounty offered in the technology industry, though it is likely that security vulnerabilities have fetched larger rewards in private sales.

The emergence of bounty programs has given rise to bounty platforms like HackerOne and Bug Crowd to intermediate between firms and the researcher community. That, in turn, has allowed top researchers to make a profession of bug hunting – earning tens or hundreds of thousands of dollars a year finding and reporting software flaws.

However, Cupertino, California-based Apple has long been a hold out among leading technology firms: officially refusing to pay vulnerability researchers with anything more than thanks for finding flaws in its products, even as competitors like Google, Facebook, Twitter and even Microsoft warmed to them. That has left it to private vulnerability brokers to offer incentives to researchers to work on Apple platforms like iOS, OS X and iCloud.

In 2015, the firm Zerodium made headlines for offering a $1 million bounty for a working exploit of the latest version of Apple’s iOS operating system. The company later said two teams at least partially qualified for the award. Researchers have pointed to offers like that and firms like Zerodium, which act as cyber arms dealers, as a key argument in favor of Apple offering a bounty program. In the absence of such a program, vulnerability information and exploits are more likely to fall into the hands of cyber criminals or repressive regimes.

Apple gets high marks for engineering prowess. Even so, critics have noted that there is ample evidence emerged that the companies products were shipping with exploitable vulnerabilities and that Apple, one of the world’s wealthiest corporations, was clearly in a position to pay for information about those holes.

Speaking on Thursday, Krstic said that the new program was in response to feedback from Apple’s own engineering team, which complained that it was getting more difficult to find vulnerabilities in iOS on their own.  “The Apple bounty program will reward researchers who share critical vulnerabilities with Apple and we will make it a top priority to resolve those and provide public recognition,” Krstic said, according to Threatpost.

Apple isn’t throwing the door open entirely. The program will be open to only two dozen researchers initially, with Apple refusing to reveal the two-dozen researchers it has invited to the program.

Read more over at Threatpost.

Comments are closed.