LAS VEGAS—Apple closed out Black Hat today with a long-awaited announcement that next month it will launch a bug bounty.
The Apple Security Bounty will be an invitation-only program, open to two dozen researchers at the outset, said Ivan Krstic, head of security engineering and architecture. The maximum payout is $200,000 and five classes of bugs in iOS and iCloud are in scope.
Krstic made it clear that the bounty isn’t rigidly closed and that researchers submitting vulnerability reports in any of the five eligible classes could also be considered for invitation.
Krstic made the announcement to a loud ovation close to the end of his 50-minute speaking slot, during which he also made time for 10 minutes of Q&A. The majority of his talk was spent taking a deep technical dive into iOS 10 security features, including the new hardened WebKit JIT mapping feature that makes it much tougher for attackers to exploit memory corruption vulnerabilities in the iOS Safari JIT.
But the star attraction the bounty announcement. Apple said the maximum reward will be $200,000 for vulnerabilities and proof-of-concept code in secure boot firmware components. It will also pay $100,000 for the extraction of confidential material protected by its Secure Enclave Processor, $50,000 for code execution flaws with kernel privileges or unauthorized access to iCloud account data on Apple servers, and $25,000 access from a sandboxed process to user data outside that sandbox.
“We’ve had great help from researchers like you in improving iOS security all along. As the mechanisms we build get stronger, the feedback I’ve gotten from my team is that it’s getting increasingly difficult to find those vulnerabilities,” Krstic said. “The Apple bounty program will reward researchers who share critical vulnerabilities with Apple and we will make it a top priority to resolve those and provide public recognition.”
Apple is not expected to reveal the two-dozen researchers it has invited to the program.
“The difficulty in finding most of the critical vulnerabilities is going up and up as we invest in new security technology and mechanisms,” Krstic said. “The difficulty is such that we want to reward people for their time and creativity they put in to finding bugs in these categories.”
Rich Mogull, analyst and CEO at consultancy Securosis said that Apple is deliberate in everything it does.
“It’s the Apple way,” Mogull wrote in an analysis published shortly after the announcement. “Focus on quality, not quantity. Start carefully, on their own schedule, and iterate over time. If you know Apple, this is no different than how they release manage nearly all of their products and services.”
Mogull also wrote that he didn’t believe Apple needed a bug bounty, but that product security will benefit.
“It won’t motivate the masses or those with ulterior motives, but will reward those interested in putting in the extremely difficult work to discover, then work through the engineering, of some of the really scary exploitable vulnerability classes,” Mogull said.