Apple to Enlist the Aid of a Few Good Hackers
Apple on Thursday introduced its first bug bounty program, set to launch in September.Ivan Krstic, head of Apple security engineering and architecture, announced the program during his presentation at Black Hat security conference in Las Vegas.The focus reportedly is on an exceptionally high level of service, and on quality over quantity. Participation in the program initially will be by invitation only, and it will be limited to a select group of researchers.However, Apple plans to work with other researchers on a case-by-case basis, and the company reportedly will expand the program over time.The bug bounty program "signifies how important it is to have community-based security versus an exclusive in-house security program," noted Chenxi Wang, chief strategy officer at Twistlock."To their credit (Apple) have done a great job in the quality and security of their software," she added, "but even Apple can't do it alone. They need the collective brain power of the hacking community to help."
Apple will offer these bounties:
1. Up to US$200,000 for vulnerabilities in boot firmware components;
2. Up to $100,000 for flaws that allow the extraction of confidential material from the Secure Enclave Processor;
3. Up to $50,000 for vulnerabilities allowing the execution of arbitrary code with kernel privileges, or those that allow unauthorized access to iCloud account data on Apple servers;
4. Up to $25,000 for flaws that enable access from a sandboxed process to user data outside that sandbox.
Apple also may reward researchers who share an exceptional, critical vulnerability outside of the five categories listed.
"With programs like this, there are two approaches," said Rob Enderle, principal analyst at the Enderle Group. "One is to actually find problems and fix them; the other is to use the program to create the impression you're secure by providing big bounties to do things you believe can't actually be done."Apple's bounty program "appears to be the latter case, which is why (it's) both so restrictive and has such seemingly large bounties," he added. "This appears mostly targeted at undoing the damage the FBI did to Apple's security reputation when they broke into an iPhone some time ago."The iPhone belonged to terrorist Syed Farook, who with his wife carried out a mass shooting in San Bernardino last year.After filing an unsuccessful lawsuit to get Apple to unlock that device, the FBI paid a third party to do so.News of the hacking raised concerns about the security of Apple devices, because "it showed that Apple can be breached," said Michael Jude, a program manager at Stratecast/Frost & Sullivan."Apple's now in an arms war with the government," he added. "They need to improve security quickly and show people they're taking it seriously. By engaging independents, (Apple) can ... provide an even stronger incentive to work within its community."