Apple made some major announcements at the Black Hat cybersecurity conference 2019 which concluded yesterday, in Las Vegas. Apple’s head of security engineering, Ivan Krstić announced that anybody who can hack an iPhone will get up to $1 million reward. They have also released a new payout system for security researchers, depending on the type of vulnerability found by them.
Krstić also unveiled Apple’s new iOS Security Research Device program, which will be out next year. As part of the program, qualified security researchers will be provided with special iPhones to find out flaws in them.
Apple expands its Security bug Bounty program
Apple first launched its bug bounty program, in 2016. The previous bug bounty program consisted of $200,000 and included only those involved in Apple’s invite-only bug bounty program.
Yesterday, Apple announced that, per Apple’s new security bug bounty program, anyone who can hack an iPhone will receive up to $1 million. Also, the security bounty program has been opened to all security researchers. It will include all of Apple’s platforms, including iCloud, iOS, tvOS, iPadOS, watchOS, and macOS.
Apple Bug Bounty. pic.twitter.com/jyD9UwU9pI
— mikeb (@mikebdotorg) August 8, 2019
Apple has also released a new payout system with the payouts starting from $100,000 for finding a bug that allows lock screen bypass or unauthorized access to iCloud. Researchers can also gain up to 50% bonus if they find any bugs in a pre-released software. The top payout is booked for hackers who can discover a zero-click kernel code execution with persistence.
Now Apple is confident to it's devices no vulnerabilities, if you're a best hacker $1M will be given to u…So powerful 👌
— Manzi Patrick (@Manzipatty) August 9, 2019
I’m really excited about Apple deciding to include beta software in their bug bounty program. I think that has the potential to really help improve the security of final releases.
— Scott Knight (@sdotknight) August 9, 2019
That's real money https://t.co/vSfHyULtaG
— Kenn White (@kennwhite) August 9, 2019
Apple’s new iOS Security Research Device program
Apple gave out details about its new iOS Security Research Device program, which will be out next year. In this program, Apple will be supplying special iPhones to security researchers to help them find security flaws in iOS. However, this the iOS security research device program is available only to researchers who have great experience in security research on any platforms.
iOS security research device program! pic.twitter.com/4NsKH1DMGd
— Jesse D'Aguanno (@0x30n) August 8, 2019
The special devices will be different from the regular iPhones, as it will come with ssh, a root shell, and advanced debug capabilities to ensure identification of bugs. “This is an unprecedented fully Apple supported iOS security research platform,” said Krstić at the conference.
iOS bug bounty improvements were great to hear, but iOS security research device program coming in 2020 seems pretty great and good for iOS user security in general! #BlackHatUSA
— Sam Bakken (@skbakken) August 8, 2019
Wow this is great
— Marco Nielsen (@marconielsen) August 8, 2019
Though many users have praised Apple for the great money and initiating the security research device program, few also opine that this is not so huge. Given the kind of knowledge and expertise required to find these bugs, there are suggestions that Apple should consider paying these hackers more as they are the ones saving Apple from a lot of negative P.R. Also, they found a bug, which even the Apple employees are sometimes unable to find.
A user on Hacker News comments, “1M is a lot of money to me, a regular person, but when you consider that top security engineering talent could be making north of 500k in total compensation, 1M suddenly doesn’t seem all that impressive. It’s a good bet to make on their risk. Imagine paying a mere 1M to avoid a public fiasco where all of your users get owned. This just seems like good business. They could make it 5M, and it would still be worth it to them in the medium to long term.”
Another user says, “I’m surprised by how cheap the vulnerabilities market is. A good exploit, against a popular product like Chrome, selling for 100k or even $1M may sound like a lot, but it’s really pennies for any top software firm. And $1M is still a lot for a vulnerability by market prices.”
Another comment on Hacker News reads, “When I read the article, my first reaction was “Only a million?” Considering the importance of a bug like this to Apple’s business and the size of their cash hoard, this sounds like they don’t actually care that much.”
To know about other highlights at the Black Hat cybersecurity conference 2019, head over to our full coverage.