LAS VEGAS–Vulnerabilities in iPhone hardware and software are among the more valuable bugs there are especially those that give an attacker full access to the device. Apple knows this as well as anyone, and today the company announced that it is starting an invitation-only bug bounty program that will pay up to $200,000 for the most critical iPhone bugs.
The announcement was a long time coming, as many of the larger security, software, and hardware companies have had bounty programs for years. Microsoft, Google, Facebook, and many others have well-established reward programs for researchers, but Apple had been resistant to the idea. On Thursday at the Black Hat conference here, Ivan Krstic, the head of Apple’s security engineering and architecture team, said the program would begin in September and would initially be by invitation only.
The payouts for researchers who bring new, critical bugs to Apple are substantial. The highest reward is $200,000 for a vulnerability in the secure boot firmware components of the iPhone, and there’s also a $100,000 payout for bugs that allow an attacker to extract confidential material from the Secure Enclave Processor. The lowest reward is $25,000 for a sandbox escape.
Krstic said that although the program is only open to a group of invited researchers right now, that’s not a hard and fast rule.
“It’s not meant to be any kind of exclusive club,” he said. “If you bring us a critical bug, we will look at it and if the work merits it, we will invite you into the program.”
Apple isn’t saying who the invited researchers are, or how many have been invited. Also, the program only involves iOS and iCloud right now, and not MacOS. That may change in the future, but Krstic didn’t make any commitments on that front. Analyst Rich Mogull of Securosis said he sees good potential for Apple’s program to evolve and improve the security of its products.
“Apple’s program sets clear objectives. Find exploitable bugs in key areas they consider a priority. Since proving exploitability with a repeatable proof of concept is far more labor intensive than merely finding a vulnerability, pay the researchers a fair value for their work,” Mogull said in a post.
“In the process, learn how to tune a bug bounty program and derive the most value out of it. High quality exploits discovered and engineered by researchers and developers Apple believes have the skills and motivations they feel will most help advance product security.”