Apple announces invitation-only bug bounty program at Black Hat conference

The company had lagged behind competitors in providing financial incentives to report exploits to it.

An Apple security chief unexpectedly announced the company will pay for vulnerabilities found in certain aspects of iOS and iCloud. The program is invitation only, and payouts will be based on severity and category.

The top fees across five areas range from $25,000 to $200,000, but could be much lower. The announcement came during a presentation by Ivan Krstić, Apple’s head of security engineering and architecture, at the Black Hat security research conference in Las Vegas.

The presentation also included a level of technical detail and disclosure of security—here, related to AutoUnlock, HomeKit, and iCloud Keychain—that has been mostly absent in the past at conferences, according to those present.

The fees offered aren’t enough to deter those merely in it for the cash, as major flaws can command cash from malicious and legitimate parties alike that far exceeds Apple’s top rates.

But it could help convince researchers to disclose problems to Apple and remain mute until the bugs are patched.

In some instances in the last few years, those who had discovered exploits went public after they decided sufficient time had passed without Apple providing updates.

Most of Apple’s competitors for customers and eyeballs already run so-called bug bounty programs, in which researchers or hackers turn over what they know in exchange for a fee, usually paid in cash, and keeping quiet until fixes ship.

Some sponsor hacking events, paying out in cash, equipment, or both for achieving a goal, like breaking out of a browser sandbox designed to contain malicious software from the rest of a system. Amazon now remains the exception among large Internet firms.

Details were assembled from participant reports; the presentation isn’t available online, and Apple hasn’t posted details yet. We have a query out to Apple for more information; some researchers and publications were briefed under embargo ahead of time.

Krstić listed five categories of bugs and the top fee paid for each. Those who attended say that macOS isn’t yet covered as part of the program.

  • Secure boot firmware components ($200,000 cap)
  • Extraction of confidential material protected by the Secure Enclave Processor ($100,000 cap)
  • Execution of arbitrary code with kernel privileges ($50,000 cap)
  • Unauthorized access to iCloud account data on Apple servers ($50,000 cap)
  • Access from a sandboxed process to user data outside of that sandbox ($25,000 cap)

Each of these aspects represents key vectors for attack by governments and criminals alike. While iOS has never had exploits spread significantly in the wild, jailbreaking software has made use of various methods of running arbitrary code. In a separate Black Hat presentation, the makers of the Pangu jailbreak for iOS 9 (fixed in 9.2) described how they achieved that kind of code execution.

So far, there’s been no known extraction of data from Secure Enclave, the dedicated hardware in iOS devices with an A7 or newer process that acts as a one-way valve to store fingerprint characteristics and certain data associated with Apple Pay. It’s also used to prevent downgrading iOS to exploit a bug in a previous release.

While iCloud accounts have been compromised in the past through certain weak password entry endpoints and social engineering of celebrity accounts, there’s been no reported breach of iCloud servers.

Those invited to apply to the program will have to provide a proof of concept that works on current software and hardware. Bounties will be based on a combination of factors, as with other corporate bug programs, such as how much interaction is required from a user to trigger it, the exploit’s severity, how novel it is compared to previously known issues, and how clearly the flaw is described.

Apple has also offered a bump to bug finders who want to donate their awards to charity. At its discretion—potentially to avoid supporting charities at odds with its image or public stances—Apple will match donated awards dollar for dollar.

Security researcher Rich Mogull, a contributor to Macworld and other Apple-focused publications, noted in a post on his company’s blog that Apple will consider adding those who discover bugs but haven’t been invited to the bounty program. Apple won’t publish a list of invitees, he writes, but those participating are free to disclose it. Mogull writes a couple of dozen researchers have received initial invitations. This is clearly intended to reduce the volume of reports and keep the quality high. Apple has long accepted bug reports without the potential of compensation, and that continues.

Apple began to acknowledge researchers who conformed to its advance disclosure and testing rules several years ago and includes their name and company affiliation (if any) in security updates. Apple withholds credit and sometimes publishes those who work outside its guidelines, most prominently suspending Charlie Miller, who had previously discovered many flaws, from its developer program in 2011 after he had an app approved in the App Store with a proof-of-concept flaw embedded.

Bugs pay big on gray and black markets, with criminal syndicates and government agencies sometimes vying for the same exploit before it’s found and patched. These so-called zero-day bugs, ones that aren’t patched before they’re used to exploit a weakness, allow malicious and legitimate parties alike ways to crack servers, operating systems, and sometimes individual computers and mobile devices. Effective cracks can go for tens of thousands of dollars, with reports putting the top rate at a million dollars.

The Department of Justice dropped its attempt to force Apple to create a specialized version of iOS that would allow the FBI to attempt to crack a work-provided iPhone used by San Bernardino mass-killer Syed Rizwan after it obtained a bypass from a third party.

Fees at other companies range from a starting point from $100 to $500, and are capped at from $20,000 at Google to $100,000 at Microsoft. Some companies don’t have an announced cap, and may offer far higher fees for major exploits.

Join the CSO newsletter!

Error: Please check your email address.

Tags iCloudHomeKit

More about AppleDepartment of JusticeFBIGoogleMicrosoftTwitter

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Glenn Fleishman

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place