Apple's new security bug bounty program: What you need to know!

As part of the company's presentation at the Black Hat security conference, Apple is announcing its first security bounty program. It's pragmatic but optimistic, and continues Apple's tradition of looking at security as a multi-layer, multi-model challenge that requires constantly evolving technologies and practices. I had a chance to speak with several people at Apple involved with the program, and here's what you need to know.

Wait, Apple is presenting at Black Hat?

Yes! Ivan Krstić, head of security engineering and architecture at Apple, is giving a talk today. I get the surprise, though. Once upon a time, hearing that the head of Apple's software security efforts would be speaking at a public event would have been shocking. Today, it's just another step towards a better, stronger relationship between Apple and its community.

What's the talk about?

The talk is titled Behind the scenes of iOS security, and in it Krstić will be discussing how Apple handles the syncing of exceptionally sensitive customer data, like passwords, HomeKit data, and the new auto unlock feature in macOS Sierra and watchOS 3. He'll also discuss the secure element behind Apple's fingerprint identity sensor, Touch ID, and how WebKit, Apple's open source rendering engine, will be hardened against modern JavaScript exploits.

Back to the bounty program. When does it start and who's part of it?

The bounty program launches in September with a small group of researchers. Apple told me the company will be focusing on an exceptionally high level of service and putting quality very much ahead of quantity. The program will be expanded over time, but if anything urgent comes up, Apple is also open to working with other researchers on a case-by-case basis.

What are the bounties?

Apple will be considering critical issues in several key categories:

  • Up to $200,000: Secure boot firmware components.
  • Up to $100,000: Extraction of confidential material protected by the Secure Enclave Processor.
  • Up to $50,000: Execution of arbitrary code with kernel privileges.
  • Up to $50,000: Unauthorized access to iCloud account data on Apple servers.
  • Up to $25,000: Access from a sandboxed process to user data outside of that sandbox.

What if someone finds something beyond those categories?

Apple, of course, reserves the right to reward any researcher who shares any exceptional, critical vulnerability with the company, even if not part of the categories listed above.

Will the researchers also get credit?


OK, why is Apple doing this?

According to Apple, vulnerabilities are getting harder to find. That's true both internally, with Apple's security team, and externally, with researchers. As time passes and technology progresses, all the low hanging-vulnerabilities get patched and, unless some easy bug somehow makes it into the wild, finding an attack vector is incredibly complex and time-consuming work.

So, Apple wants some way to reward those who put in that time and work, disclose responsibly, and work with Apple to patch issues before they're exploited.

Does this have anything to do with the recent debate over iPhone security?

While Apple didn't mention anything on the topic, the company has made headlines this year by standing up for the privacy and security of their customers. As one of those customers, I've been thrilled by Apple's position. Not everyone shares that view, though. And there's a concern that, as Apple further locks down iOS, exploits will become more valuable to hackers and agencies alike.

Researchers want to do the right thing. Offering them help to fund their research makes it easier to do just that — especially since Apple is also offering a charitable option.

Stop. How is Apple bringing charity into the bounty?

At the researcher's discretion, Apple will pay out the bounty not to the researcher themselves, but to a charitable cause. Apple can also choose to match that donation, resulting in the charity getting up to twice the value of the bounty.

Good on Apple!


So this bounty will make my iPhone even more secure?

Ultimately, that's the plan. By incentivizing the best and brightest outside of Apple, the company is better more exploits will be found sooner, allowing them to be patched earlier and faster, which is better for you, me, and everyone.

But… what about secrecy?

Secrecy still has its place. But so does community. Apple is bigger than ever. The Apple community is bigger than ever. The threats against privacy and community are, in some cases, more serious than ever.

Apple knows it. The community knows it. And now everyone can work together to ensure a better, more private, and more secure future.

Total win/win.

Rene Ritchie

Rene Ritchie is one of the most respected Apple analysts in the business, reaching a combined audience of over 40 million readers a month. His YouTube channel, Vector, has over 90 thousand subscribers and 14 million views and his podcasts, including Debug, have been downloaded over 20 million times. He also regularly co-hosts MacBreak Weekly for the TWiT network and co-hosted CES Live! and Talk Mobile. Based in Montreal, Rene is a former director of product marketing, web developer, and graphic designer. He's authored several books and appeared on numerous television and radio segments to discuss Apple and the technology industry. When not working, he likes to cook, grapple, and spend time with his friends and family.

  • Good to hear, thanks! I wonder how the trolls will negatively spin this one...wait for it....
  • About time. Was wondering when they would do something like this. With Google and others doing this, good to see Apple joining in and paying out to make the OS more secure!
  • Well, at this points it's only to surpass Blackberry in terms of most secure. I'm still glad to hear it, now maybe Google can take a leaf from Apple's book and physically check the code for apps going into the Google Play Store. Sent from the iMore App
  • The "hand checked" (which is what I'm guessing you meant when you said "physically") iOS app store has its share of bad apps, so not sure how that really helps. It's not like an app is just a small handful of code. Even the code I can write as a first year CS student could take a human an hour to go through, and an hour of an expert's time is NOT cheap. In the end, the operating system is as secure as its user. Both Macs and iOS devices can get infected easily if the user does dumb things (source: working tech support) and sometimes even when they don't. Hardened security is infinitely better than security by obscurity (see: Linux). The reason modern encryption is so powerful isn't that no one understands it. It's that even the people who understand it perfectly have usually can't get the data back without a password. A wall is better at stopping things than a smoke cloud. It just makes sense.
  • Call it what you want, Apple still has real people looking at the code. It's not to determine if the app is bad or not, it's to find malware. Yes, occasionally things get by, however not to the extent that Google's minimalistic bot lets by. Sent from the iMore App
  • ignorance.
  • Lol Posted via the iMore app for Android
  • That's kind of a tortured phrase you used, but if you are trying to imply that Blackberry is "secure" or someone to beat in the security area, you are mistaken. Blackberry has had a backdoor in it's software since the very beginning, and nothing with an open back door can really be called "secure." The truth is that Blackberry's vaunted security never existed in the first place.
  • Good to hear that Apple is doing this
    I'm happy for this Sent from the iMore App
  • Does this mean anything for the future of jailbreak?
  • Very bad news for jailbreaking I’m glad to report..
  • That won't stop them JB.. Negative effect.. but it will slow the process.
  • No, you can’t claim you found a bug in iOS, post it on the Apple Discussion Forums, and expect a check to arrive in the mail. Sorry.
  • Aahahahhaa
    If they paid for bugs, complaints and grievances, I'd be a millionaire over night! Sent from the iMore App
  • Why even cover this? You think anyone who knows anything ab out code actually reads iMore anymore? Maybe just stick to the advertisements disguised as articles, and "happy talk" about how great and wonderful Apple is. These seem to be iMore's only strengths.
  • This is good for Apple. Finally they are reckoning more eyes bugs than they can themselves quickly. I'm sure Apple would find them (eventually) .. but the more eyes the better. :) Always the possibility of more issues arising and rather than helping Apple to fix this, they favor attacking, but u gotta play it where it lays..
  • "Big" bounty :)