Everything you need to know about Apple's new security bounty program.

As part of the company's presentation at the Black Hat security conference, Apple is announcing its first security bounty program. It's pragmatic but optimistic, and continues Apple's tradition of looking at security as a multi-layer, multi-model challenge that requires constantly evolving technologies and practices. I had a chance to speak with several people at Apple involved with the program, and here's what you need to know.

Wait, Apple is presenting at Black Hat?

Yes! Ivan Krstić, head of security engineering and architecture at Apple, is giving a talk today. I get the surprise, though. Once upon a time, hearing that the head of Apple's software security efforts would be speaking at a public event would have been shocking. Today, it's just another step towards a better, stronger relationship between Apple and its community.

What's the talk about?

The talk is titled Behind the scenes of iOS security, and in it Krstić will be discussing how Apple handles the syncing of exceptionally sensitive customer data, like passwords, HomeKit data, and the new auto unlock feature in macOS Sierra and watchOS 3. He'll also discuss the secure element behind Apple's fingerprint identity sensor, Touch ID, and how WebKit, Apple's open source rendering engine, will be hardened against modern JavaScript exploits.

Back to the bounty program. When does it start and who's part of it?

The bounty program launches in September with a small group of researchers. Apple told me the company will be focusing on an exceptionally high level of service and putting quality very much ahead of quantity. The program will be expanded over time, but if anything urgent comes up, Apple is also open to working with other researchers on a case-by-case basis.

What are the bounties?

Apple will be considering critical issues in several key categories:

  • Up to $200,000: Secure boot firmware components.
  • Up to $100,000: Extraction of confidential material protected by the Secure Enclave Processor.
  • Up to $50,000: Execution of arbitrary code with kernel privileges.
  • Up to $50,000: Unauthorized access to iCloud account data on Apple servers.
  • Up to $25,000: Access from a sandboxed process to user data outside of that sandbox.

What if someone finds something beyond those categories?

Apple, of course, reserves the right to reward any researcher who shares any exceptional, critical vulnerability with the company, even if not part of the categories listed above.

Will the researchers also get credit?


OK, why is Apple doing this?

According to Apple, vulnerabilities are getting harder to find. That's true both internally, with Apple's security team, and externally, with researchers. As time passes and technology progresses, all the low hanging-vulnerabilities get patched and, unless some easy bug somehow makes it into the wild, finding an attack vector is incredibly complex and time-consuming work.

So, Apple wants some way to reward those who put in that time and work, disclose responsibly, and work with Apple to patch issues before they're exploited.

Does this have anything to do with the recent debate over iPhone security?

While Apple didn't mention anything on the topic, the company has made headlines this year by standing up for the privacy and security of their customers. As one of those customers, I've been thrilled by Apple's position. Not everyone shares that view, though. And there's a concern that, as Apple further locks down iOS, exploits will become more valuable to hackers and agencies alike.

Researchers want to do the right thing. Offering them help to fund their research makes it easier to do just that — especially since Apple is also offering a charitable option.

Stop. How is Apple bringing charity into the bounty?

At the researcher's discretion, Apple will pay out the bounty not to the researcher themselves, but to a charitable cause. Apple can also choose to match that donation, resulting in the charity getting up to twice the value of the bounty.

Good on Apple!


So this bounty will make my iPhone even more secure?

Ultimately, that's the plan. By incentivizing the best and brightest outside of Apple, the company is better more exploits will be found sooner, allowing them to be patched earlier and faster, which is better for you, me, and everyone.

But… what about secrecy?

Secrecy still has its place. But so does community. Apple is bigger than ever. The Apple community is bigger than ever. The threats against privacy and community are, in some cases, more serious than ever.

Apple knows it. The community knows it. And now everyone can work together to ensure a better, more private, and more secure future.

Total win/win.