What you need to know
- Apple has launched its new Apple Security Bounty program.
- It means that security researchers who find critical security issues in Apple operating systems could get public recognition and even a substantial bounty payment.
- Rewards run as high as $1 million, and Apple will match rewards by donating to qualifying charities.
Apple has just launched its new Apple Security Bounty program, a scheme that will reward researchers who find critical security issues in Apple software, and ways to exploit them.
Apple has pushed out a slew of security material in the last 24 hours, including a new Apple Platform Security guide. The guide details all of Apple's efforts to make its hardware, devices, services, and apps more secure.
Perhaps more excitingly however is the launch of its new Bounty Hunter program!
Apple's developer website states:
As part of Apple's commitment to security, we reward researchers who share with us critical issues and the techniques used to exploit them. We make it a priority to resolve confirmed issues as quickly as possible in order to best protect customers. Apple offers public recognition for those who submit valid reports, and will match donations of the bounty payment to qualifying charities.*
Previously, Apple's bug bounty program was invitation-based, so only selected security researchers could take part. Apple also only ran the scheme for iOS security bugs. Now, it's open to all security researchers, a move it announced at the Black Hat security conference in Las Vegas in August of this year.
In order to be eligible for an Apple Security Bounty payout, the issue must occur on the latest publicly available version of either iOS, iPadOS, macOS, tvOS or watchOS with a "standard configuration" and where relevant, the latest hardware. The eligibility rules are designed to protect customers until an update for an exploit is available. Standard industry practice usually dictates that anyone who finds an exploit does not publicly reveal it until it's fixed. To qualify you also therefore must:
- Be the first person to report the issue.
- Provide a clear report including a working exploit
- Not disclose the issue publicly.
If you find an issue in a developer or public beta (including regressions), you could get up to a 50% bonus payout on top of the listed values for issues including; security problems introduced by a developer or public beta (but not all betas), or regressions of previously resolved issues, even if they have published advisories. Now, the good stuff. Here is a list of the maximum payout by category. All payouts are determined by Apple and depend on the level of access or execution achieved by the reported issue, modified by the quality of the report.
- Unauthorized access to iCloud account data on Apple Servers - $100,000
Device attack via physical access
- Lock screen bypass - $100,000
- User data extraction - $250,000
Device attack via user-installed app
- Unauthorized access to sensitive data - $100,000
- Kernel code execution - $150,000
- CPU side channel attack - $250,000
Network attack with user interaction
- One-click unauthorized access to sensitive data - $150,000
- One-click kernel code execution - $250,000
Network attack without user interaction
- Zero-click radio to kernel with physical proximity - $250,000
- Zero-click unauthorized access to sensitive data - $500,000
- Zero-click kernel code execution with persistence and kernel PAC bypass - $1,000,000
The page also notes that reports that include a basic proof of concept instead of a working exploit are eligible for no more than 50% of the maximum payout. At the very least, your report needs enough information that Apple can reproduce the issue.
You can read the full breakdown, including example payouts and the terms and conditions over on Apple's developer website. You'll also find the instructions for submitting reports there too!
As mentioned in the earlier tweet, Ivan Krstić's Black Hat 2019 talk is also now available on YouTube. It's titled 'Behind the scenes of iOS and Mac Security', the description of the video states:
The Find My feature in iOS 13 and macOS Catalina enables users to receive help from other nearby Apple devices in finding their lost Macs, while rigorously protecting the privacy of all participants. We will discuss our efficient elliptic curve key diversification system that derives short non-linkable public keys from a user's key pair, and allows users to find their offline devices without divulging sensitive information to Apple.
Check it out!
We may earn a commission for purchases using our links. Learn more.