clock menu more-arrow no yes

Filed under:

Apple is launching an invite-only bug bounty program

New, 3 comments

It's one of the last major tech companies to start paying for exploits

Apple is planning a new bug bounty program that will offer cash in exchange for undiscovered vulnerabilities in its products, the company announced onstage at the Black Hat conference today. Launching in September, the program will offer cash rewards for working exploits that target the latest version of iOS or the most recent generation of hardware. It’s the first time Apple has explicitly offered cash in exchange for those vulnerabilities, although the company has long maintained a tip line for disclosing security issues.

Bug bounty programs have become an increasingly popular way to encourage responsible disclosure once a vulnerability is found. Uber, Fiat Chrysler, and the Department of Defense have all launched similar programs this year. More established companies like Google, Microsoft, and Facebook have had bounty programs in place for years. Google paid out more than $2 million in bug bounties last year, mostly for vulnerabilities in Android.

Payouts as high as $200,000

Apple was one of the last major tech companies without such a bounty program, relying instead on internal security teams and informal relationships with researchers. That policy drew some criticism in the wake of the San Bernardino case this year, after police purchased an undisclosed vulnerability in order to break security measures on an alleged killer’s phone.

The new program will begin as invite-only, including only a few dozen researchers. Still, Apple says the program will become more open as it grows, and if a non-member approaches Apple with a significant bug, they’ll be invited into the program to work it through. The invite system is unusual for a bounty program, but Apple explained it as necessary to weed out spurious submissions and make sure trusted researchers had adequate support from the company.

For now, the new program is also limited to five distinct categories of bugs. The most valuable category — worth up to $200,000 — is vulnerabilities that compromise the secure boot firmware components, cutting at the heart of Apple's hardware protections. Notably, those vulnerabilities are also particularly useful for jailbreaks. Smaller rewards are available for the extraction of data from the Secure Enclave, extraction of arbitrary code, escaping a sandboxed process, and obtaining unauthorized access to iCloud account data.