Thursday, August 04, 2016

Apple Plans to Pay Out Big Cash Rewards For Security Bugs

Big news for security researchers and would be iOS hackers, Apple has finally launched a high dollar bug bounty program that could net you a whopping $200,000!! The program, which will be an Apple first, promises big payouts for hacks and security vulnerabilities that affect the most serious aspects of Apple's iOS operating systems.

Apple announced the new program during the Black Hat cybersecurity conference when the head of Apple security, Ivan Krstic, took the stage. Kristic said the company would pay bug bounties -- up to $200,000 -- to researchers who find and report vulnerabilities in specific Apple software. Don't set your sights on a big paid day just yet though. Like all things Apple does they are keeping very tight control on the program.

For now, Apple is limiting the program to about two dozen researchers who Apple will selectively invite to help identify hard-to-uncover security bugs in five specific categories. The high dollar bounties are only being offered for a small range of iDevice and iCloud bugs. The full list is as follows:
  • Secure boot firmware components: Up to $200,000 (~£150,000)
  • Extraction of confidential material protected by the Secure Enclave: Up to $100,000.
  • Execution of arbitrary code with kernel privileges: Up to $50,000.
  • Access from a sandboxed process to user data outside of that sandbox: Up to $25,000.
  • Unauthorized access to iCloud account data on Apple servers: Up to $50,000.
The payment amounts outlined above are upper limits and not likely to reflect actual payments. Those will depend on the novelty of the issue and how likely the issue is to be exploited in the wild.
As with most bug bounty programs in order to collect the pay outs the researchers will need to submit a report to Apple with a working proof-of-concept that the exploit that works on the latest stable version of iOS. If the bugs are hardware-related, the proof-of-concept must also work on the latest shipping iPhone or iPad hardware. Additionally they are also asked not to disclose the bugs before Apple has time to fix them, though the company would only say it would fix them as soon as possible and wouldn't commit to a firm time window.

Apple said it decided to limit the scope of the program at the advice of other companies that have previously launched bounty programs. Those companies said that if they were to do it again, they would start by inviting a small list of researchers to join, then gradually open it up over time, according to Apple. Limiting participation not only gives Apple more control, but it also saves the company from dealing with a massive influx of potentially negative hacks leaking and an influx of "low-value" bug reports.

No comments:

Post a Comment

All comments will be moderate for content, please be patient as your comment will appear as soon as it has been reviewed.

Thank you