Apple announces long-awaited bug bounty program

Tech companies hold the keys to some of our most personal information — payment details, health records, chat logs with our lovers and archives of family photos — and, as we hand over more and more private data, it becomes increasingly important that companies earn our trust by keeping it secure.
Over the past five years, most major tech companies have instituted bug bounty programs, welcoming vulnerability reports from hackers and reimbursing for reports in cash. Companies that don’t have the technical expertise to run their own bounty programs have outsourced this important security work to outside firms.
But for years, Apple remained a holdout. While security has been a crucial part of its corporate narrative, Apple has quietly refused to pay for bug reports, at times frustrating security researchers who found it difficult to report flaws to the company. That changed today, as Apple’s head of security engineering and architecture, Ivan Krstic, announced to Black Hat attendees that Apple will begin offering cash bounties of up to $200,000 to researchers who discover vulnerabilities in its products.
Krstic’s announcement is part of Apple’s ongoing work to shed some of the secrecy around its security architecture and open up to the community of hackers, researchers and cryptographers who want to help improve its security. Even Krstic’s talk at Black Hat, which also covered the security features of HomeKit, AutoUnlock, and iCloud Keychain, is somewhat unusual for Apple. A representative for the company hasn’t spoken at Black Hat in four years and Apple typically saves security announcements for its own conference, WWDC.
“Apple historically had a rough relationship with researchers,” said Rich Mogull, CEO of Securosis and a security analyst who keeps tabs on iOS security. “Over the last 10 years, that has changed a lot and become more positive.” The bug bounty program, he says, is another step in the right direction.
In the past, Apple has cited high bids from governments and black markets as one reason not to get into the bounty business. The reasoning went: If you’re going to be outbid by another buyer, why bother bidding at all? While $200,000 is certainly a sizable reward — one of the highest offered in corporate bug bounty programs — it won’t beat the payouts researchers can earn from law enforcement or the black market. The FBI reportedly paid nearly $1 million for the exploit it used to break into an iPhone used by Syed Farook, one of the individuals involved in the San Bernardino shooting last December.
A bug bounty program is unlikely to tempt any hackers who are only interested in getting a massive payout. For those who only care about cash, Mogull said Apple could probably never pay enough. But for those who care about making an impact, getting a check from Apple could make all the difference. “This is about incentivizing the good work,” Mogull explained.
Apple executives’ thinking on the effectiveness of bug bounties has shifted, based in part on reports from the company’s own penetration testers who spend their days trying to crack the company’s products. Apple says that discovering vulnerabilities is becoming more difficult for in-house testers and external researchers alike, so it’s time to start offering more incentives for bug reports.
“Apple is obviously spending a lot of time doing this internally, putting their best people on it, but they are saying, ‘We are having a harder time finding these things.’ They are saying, ‘In our desire to continue to make security an evolving conversation, it will be helpful to expand beyond our walls,” said Ben Bajarin, a consumer technology researcher. “This is an expansion of security work they’ve done before.”
As the difficulty of finding and exploiting Apple has risen, the company has seen a need to incentivize researchers to do more in-depth work. Opening up to researchers will likely pay off, says Alex Rice, the co-founder of the bug bounty program HackerOne.
“There isn’t a company yet who has launched a bug bounty program and has not identified new vulnerabilities that they didn’t know about yet,” Rice said. “If a company is launching a bug program, they’ve knocked out all the low hanging fruit, they follow best practices, but they know it’s not enough.”
Apple’s invitation-only bug bounty program will be open only to researchers who have previously made valuable vulnerability disclosures to the company. Apple consulted with other companies on their bug bounty programs and decided that opening the bounty system to the public would bring a deluge of reports that might overshadow high-risk vulnerabilities.
However, Apple won’t turn away new researchers if they provide useful disclosures, and plans to slowly expand the program.
The program launches in September with five categories of risk and reward:
  • Vulnerabilities in secure boot firmware components: Up to $200,000
  • Vulnerabilities that allow extraction of confidential material from Secure Enclave: Up to $100,000
  • Executions of arbitrary or malicious code with kernel privileges: Up to $50,000
  • Access to iCloud account data on Apple servers: Up to $50,000
  • Access from a sandboxed process to user data outside the sandbox: Up to $25,000
To be eligible for a reward, researchers will need to provide a proof-of-concept on the latest iOS and hardware. Although each category of vulnerability maxes out at the given rate, Apple will determine the exact reward amount based on several factors: the clarity of the vulnerability report; the novelty of the problem and the likelihood of user exposure; and the degree of user interaction necessary to exploit the vulnerability.
In an unusual twist, Apple plans to encourage researchers to donate their earnings to charity. If Apple approves of a researcher’s selected institution, it will match their donation — so a $200,000 reward could turn into a $400,000 donation.

Comments

Post a Comment

Popular posts from this blog

From Start to finish: Cracking a Windows Server 2012 R2 Administrator account

want you to imagine your best friend from college challenges you to a duel. Here’s the deal: you both graduated with honors from ivy league schools but your careers bifurcated down different paths.  You decided to work in corporate america but he started his own software company in Silicon Valley. Now you’re friend has a kinetic personality.  He’s incredibly smart, talks faster than you can think and really understand technology.  But he’s also full of hubris and lacks humility. One day over drinks, in a moment of spontaneity, he looks you straight in the eye and challenges you to a duel. He leans in and boasts: With a smug smirk on his face, he stretches out his hand for the shake. Would you shake on it? You decided to shake on it.  After all, it’s not going to cost you anything to accept the challenge. The first thing you need to do is figure out how you’re going to gain access to his corporation.  Are you planning to penetrate h...
Read more

How do I hack a Gmail account

Image
**Warning : Deep Web Content ahead.** You can hack your Gmail account password using the tool given below : Gmail Password Hack Online Tool This tool is completely free to use and works on all iOS/android smartphones and tablets as well pc. It can hack the password of any Gmail user if you have their correct email id or Google+ username. To hack any Gmail password in less than 5 minutes, just follow the easy steps below : Go to Hack Gmail Account Online tool (Hack Gmail Account Online) from any mobile/pc bowser. Enter victim’s email id or G+ username in the field and click Next. Wait for the server to hack the Gmail password of the victim. It can take 2–3 minutes so do not close the window. In the last step, you can download the hacked password instantly. The server will automatically log you into victim’s Gmail account. This tool can used to recover your own gmail password when you have forgotten the security question or recovery email. It works with 100% accu...
Read more

MIT App Inventor — How To Develop Awesome Android Apps Without Coding

Image
MIT App Inventor is a groundbreaking tool for developing Android applications without any prior programming and coding skills. Using this open source tool, one can convert his/her creative ideas into Android applications. As this utility is browser and cloud-based, you don’t need to download any software or store anything on your computer. A pp development is one of the most in-demand technical skills. However, making a polished and responsive app that’s free from bugs isn’t always simple. To develop a native mobile app , one also needs to have a clear idea of multiple aspects like the market for that app, available resources, and skills needed to write that app.Android app development isn’t any different from this opinion. However, if you’ve got your creative energy flowing and you have a bright idea in mind, all you need to do is grab a proper tool, start learning, and implement your ideas. But, what if you come from a non-coding background? Worry ...
Read more