Apple has finally this week unveiled details of a $200,000 bug bounty program which is as open to a couple of dozen selected researchers who will need to provide a working proof of concept and coordinate disclosure with Apple to receive a payout.
Payouts go up to $200,000 for a secure boot hardware exploit w with the lowest being a payout for $25,000 for a sandbox break. Rich Mogull Securosis CEO explained a little more about Apple’s decision to start a bug bounty program.
Unlike some members of our community, I don’t believe bug bounties always make sense for the company. Especially for ubiquitous, societal, and Internet-scale companies like Apple. First, they don’t really want to get into bidding wars with governments and well-funded criminal organizations, some willing to pay a million dollars for certain exploits (including some in this program). On the other side is the potential deluge of low-quality, poorly validated bugs that can suck up engineering and communications resources. That’s a problem more than one vendor mentions to me pretty regularly.
Details of the Apple Bug Bounty Program :
- Sources at Apple mentioned that if someone outside the program discovers an exploit in one of these classes, they could then be added to the program. It isn’t completely closed.
- Apple won’t be publishing a list of the invited researchers, but they are free to say they are in the program.
- Apple may, at its discretion, match any awarded dollars the researcher donates to charity. That discretion is to avoid needing to match a donation to a controversial charity, or one against their corporate culture.
- macOS isn’t included yet. It makes sense to focus on the much more widely used iOS and iCloud, both of which are much harder to find exploitable bugs on, but I really hope Macs start catching up to iOS security. As much as Apple can manage without such tight control of hardware.
- I’m very happy iCloud is included. It is quickly becoming the lynchpin of Apple’s ecosystem. It makes me a bit sad all my cloud security skills are defensive, not offensive.
- I’m writing this in the session at Black Hat, which is full of more technical content, some of which I haven’t seen before.
And here are the bug categories and payouts:
- Secure boot firmware components: up to $200,000.
- Extraction of confidential material protected by the Secure Enclave, up to $100,000.
- Execution of arbitrary code with kernel privileges: up to $50,000.
- Unauthorized access to iCloud account data on Apple servers: up to $50,000.
- Access from a sandboxed process to user data outside that sandbox: up to $25,000.