Apple Ups Bug Bounty Payouts, Expands Access to All Researchers and Launches macOS Program

Discussion in 'MacRumors.com News Discussion' started by MacRumors, Aug 8, 2019.

  1. MacRumors macrumors bot

    MacRumors

    Joined:
    Apr 12, 2001
    #1
    [​IMG]


    Apple is introducing an expanded bug bounty program that covers macOS, tvOS, watchOS, and iCloud as well as iOS devices, Apple's head of security engineering Ivan Krsti? announced this afternoon at the Black Hat conference in Las Vegas.

    Apple introduced its bug bounty program for iOS devices in August of 2016, allowing security researchers who locate bugs in iOS to receive a cash payout for disclosing the vulnerability to Apple. Prior to now, non-iOS devices were not included, a move that has previously been criticized by the security community.

    [​IMG]

    Apple's lack of a macOS bug bounty program made headlines earlier this year when a German teenager initially refused to hand over details of a major macOS Keychain security flaw because Apple didn't have a payout. While he did ultimately provide the info to Apple, he said that he hoped his refusal would inspire Apple to expand its bug bounty program, which the company has indeed done.

    With the launch of the new macOS bug bounty program, Apple is opening its bug bounties up to all researchers later this year and it is increasing the maximum size of the bounty from $200,000 per exploit to $1 million depending on the nature of the security flaw. A zero-click kernel code execution with persistence will earn the maximum amount.

    Researchers who discover vulnerabilities in pre-release software before general release can qualify for up to a 50 percent bonus payout on top of the base bug bounty amount.

    As reported earlier this week, Apple also plans to provide vetted and trusted security researchers and hackers with "dev" iPhones, aka special iPhones that provide deeper access to the underlying software and operating system that will make it easier for vulnerabilities to be discovered.

    [​IMG]

    Apple is providing these iPhones as part of its new iOS Security Research Device Program, launching next year. Apple's aim with these new bug bounty efforts is to encourage additional security researchers to disclose vulnerabilities, ultimately leading to more secure devices for consumers.

    (Thanks, SecuritySteve!)

    Article Link: Apple Ups Bug Bounty Payouts, Expands Access to All Researchers and Launches macOS Program
     
  2. smithrh macrumors 68020

    smithrh

    Joined:
    Feb 28, 2009
  3. SecuritySteve macrumors 6502a

    SecuritySteve

    Joined:
    Jul 6, 2017
    Location:
    California
    #3
    Hey that's not my Twitter. I meant this site :D.
     
  4. ilikewhey macrumors 6502a

    ilikewhey

    Joined:
    May 14, 2014
    Location:
    nyc upper east
    #4
    apple probably figured its cheaper to have someone look for bugs than hiring a team of engineers.
     
  5. Freida macrumors 68000

    Joined:
    Oct 22, 2010
  6. wellander1 macrumors regular

    Joined:
    Apr 30, 2019
    Location:
    Prescott Az
    #6
    Good.
    But do not forget to focus on stability too.
     
  7. jgbr macrumors 6502a

    Joined:
    Sep 14, 2007
    #7
    Finally it should include core rot solutions too IE: stability
     
  8. jclo Editor

    jclo

    Staff Member

    Joined:
    Dec 7, 2012
    Location:
    California
    #8
    Ha, sorry, I fixed it.
     
  9. Websnapx2 macrumors regular

    Joined:
    Apr 24, 2003
    #9
    Highly doubt that — Just more eyes looking. Apple is secretive, not cheap. They have an information-sharing issue.
     
  10. osx86 macrumors newbie

    osx86

    Joined:
    Jul 21, 2009
  11. M.PaulCezanne macrumors 6502a

    M.PaulCezanne

    Joined:
    Mar 5, 2014
    #11
    This is welcome news. It would be nice if Apple could fully secure its own software but that's just not how the industry works.
     
  12. konqerror macrumors 6502a

    Joined:
    Dec 31, 2013
    #12
    Also, there are legal issues if an Apple engineer reverse engineers third-party apps on their platform and looks at their code, to use as part of an attack. This could lead to accusations that Apple copied from third parties' code, something that independent researchers don't run into.
     
  13. now i see it macrumors 68040

    Joined:
    Jan 2, 2002
  14. Cosmosent macrumors 6502a

    Joined:
    Apr 20, 2016
    Location:
    La Jolla, CA
    #14
    If someone has ALREADY Discovered an iOS Performance Bug in the A11 & A12, & has tried repeatedly to get the word out to Apple, but Apple never ONCE responded, what's the payout ???
     
  15. Chrjy macrumors 6502a

    Chrjy

    Joined:
    May 19, 2010
    Location:
    UK
    #15
    Just thought I'd point out the typo in this article:
    Researchers who discover vulnerabilities in pre-release software before general release can quality for up to a 50 percent bonus payout
     
  16. IIGS User macrumors regular

    Joined:
    Feb 24, 2019
    #16
    There's an old saying I'll paraphrase. "No plan of battle survives first contact with the enemy".

    No software testing can put every piece of software into every possible configuration. One different application, combined with a different time zone, and a screen configuration can change things enough for something inside to cry "uncle".

    Just like my old man used to say. Never buy the first year of a new model car or truck. Give it a year or two for some other idiot to find out the wiper switch doesn't like prune fumes, or some other issue no one thought up....
     
  17. Darth Tulhu macrumors 6502

    Darth Tulhu

    Joined:
    Apr 10, 2019
    #17
    So did that guy get paid?

    There is often a sacrificial lamb so that others may benefit...
     
  18. M.PaulCezanne macrumors 6502a

    M.PaulCezanne

    Joined:
    Mar 5, 2014
    #18
    prune fumes.
     
  19. killawat macrumors 65816

    Joined:
    Sep 11, 2014
    #19
    these rates look competitive compared to black market rates especially since the money is clean.
     
  20. noraa macrumors 6502

    Joined:
    Jun 23, 2003
    #20
    Sometimes it's better to have 3rd party eyes looking at things. It's like if you're writing a paper and you proof read it yourself, often times you will miss typos or misspellings that someone else reading your paper will find.
     
  21. NickName99 macrumors 6502

    NickName99

    Joined:
    Nov 8, 2018
    #21
    This is great news. If it’s far more profitable for people to sell exploits on the black market, they might do that.

    Unfortunately this is just a cost of doing business - and the more secure the system, the more valuable exploits are (since they are more rare).
     
  22. waquzy macrumors 6502a

    waquzy

    Joined:
    Sep 9, 2013
    Location:
    Leicestershire, UK
    #22
    Does this mean EverythingApplePro will get even richer?
     
  23. REFLUXER macrumors newbie

    Joined:
    Jul 12, 2014
    #23
    Two million dollars for a snappier Safari
     
  24. FontGeek macrumors newbie

    FontGeek

    Joined:
    Sep 15, 2018
    #24
    And now with the developer iOS devices, even more people that can leak information about Apple to the public. Sometimes I wonder if Apple actually wants the public to know bits and pieces about its “secret projects,” and that the secrecy thing is really there just to add suspense.
     
  25. szw-mapple fan macrumors 68000

    szw-mapple fan

    Joined:
    Jul 28, 2012
    #25
    I don’t think you understand how software security works. I’m sure Apple has a very good team of security researchers, but no single person or team can catch all flaws, no matter the number of people in that team. There will always be someone outside who will be able to hack their system and sell it on the black market. The bounty program is so that Apple will be able to entice these hackers with better and cleaner payouts so Apple can be a step ahead.
     

Share This Page

33 August 8, 2019