Apple's Head of Security Engineering and Architecture, Ivan Krstić, has just dropped some bombshell announcements at the Black Hat conference in Las Vegas and we're going to talk about them.
Apple's Bug Bounty Program, take 2
Krstić announced the first bug bounty program three years ago at Black Hat 2016. Back then and since then, it's only covered iOS and iCloud and topped out $250 thousand dollars for exploits of secure boot firmware components.
It was also invitation only. While Apple would entertain submissions from anyone, they purposely kept things small at first. That way, they could listen, learn, make mistakes, and figure things out before going wide.
You know, much to the frustration of many, measure 999 times before cutting once, as is their wont.
And there was plenty to learn from. At the beginning of the year, a teenager discovered a bug that could let people listen in using FaceTime and was unable to get a response from Apple's security reporting system.
Just a week later, a researcher refused to divulge a macOS password vulnerability because Apple didn't yet have a program for the Mac.
The knock on Apple has long been that they hired some of the best and the brightest from the jailbreak, hacker, and research communities to join the company's security architecture team, which works to prevent exploits, and red team, which works to respond to them when found, but that they didn't exactly play well with the much broader, deeper community outside the company.
Still, Apple has had over 50 high-value reports fixed and paid out since the program began and they've worked to make reporting, for everyone, easier and more efficient.
Now, they're eager to roll it out even bigger and more broadly.
More platforms, bigger bounties
First, Apple's bug bounty programming is coming to macOS. And also watchOS, tvOS… all the Apple OS. Yeah, about damn time. In addition to the other platforms, Apple is increasing the size and scope of the bounties.
$250 thousand was a lot for a company to pay out at the time. Sure, nation-states, the people who make commercial tools for nations states, and large bad actors may pay much more, but conventional wisdom was not to kick off a bidding war.
Instead, reward people who want to do the right thing with a way that makes it economically viable for them to do that right thing. It's almost like the old Steve Jobs iTunes adage — people will pay for music rather than steal it if you offer it at a fair price. In this case, people will report viabilities if you offer a fair reward.
And the fairness of Apple's reward has just gone up. For a zero-click full chain kernel code execution, you can now get a pinky-finger-to-lips-inducing 1 million dollars.
What's more. Because as Krstić put it, the only thing better than protecting users from exploits is protecting them before they get the exploits, Apple is offering an additional 50% bonus for anything reported against software that's still in beta.
Previously, Apple would also give researchers the option of donating their bounties to charity, and Apple the option of matching it for an even bigger payout. I wasn't able to find out if that still applies to the new, bigger bounties and bonuses. But if it does, holy wow.
Apple is also opening up the program. It's no longer invitation only. It's no longer limited in any way. It's now purely merit-based, easier to join, and with expanded categories.
It's the last part that's the real kicker, though.
A lot of people will tell you that open source is better than proprietary code when it comes to security. And, sure, theoretically, that's true, because more people can audit it. But, as the OpenSSL vulnerability taught us, just because it's open doesn't mean anyone is actively auditing it.
Previously, to audit iOS security, researchers had to either come up with an entire exploit chain all their own just to break into the device's root jail and poke around inside. That, or somehow get a developer-fuzed device from the gray market.
Developer-fuzed devices, sometimes called prototypes, are used inside Apple and their supply chain for testing. They're basically pre-jailbroken and instead of running iOS, they run a diagnostic system called Switchboard.
In other words, they let researchers get on with poking, prodding, and — you know — researching.
Having to come up with their own exploit chain was a huge barrier to entry. Having to get their hands on a dev-fuzed device was an inconvenient, quasi illegal one.
So, now, to help open the program up even further, Apple will be providing a new category of device specifically for and to researchers. Not dev-fuzed, which stay internal to Apple but not production-fuzed, which are the ones sold to everyone at retail. These new research-fuzed devices are specially designed to provide exactly the type of system-level access researchers need to get on with their researching.
Patrick Wardle, a security expert and principal security researcher at Jamf, told TechCrunch "Sure this is a win for Apple, but ultimately this a huge win for Apple's end users."
Thomas Ptacek security researcher, co-founder of Matasano, and principle at Lotacora said "Apple is doing some smart stuff — partly flipping the script on the economics of vulnerabilities."
Access to research-fuzed devices also won't be restricted. I mean, Apple won't be flinging them out like Oprah, you get a re-fuze and you get a re-fuze, and you get a re-fuze. There won't be a billion re-refuzed devices in our pockets.
But for anyone with a track record for doing the kind of ethical research these devices will help, should be able to get one.
Beyond the bounty, Krstić also gave an unprecedented look into the inner workings of Apple's security architecture, including the upcoming new Find My system.
I've covered the very basic, most superficial level of that in a previous video, link in the description.
He also talked about the T2 chip and boot protections, which I hope to learn more about when this talk gets posted.
In the meantime, let me know — what do you think of Apple's new bug bounty program? Still too little too late or way more than you ever expected?