Apple Announces Massive Bug Bounty Expansion with Increased Max Payout

Apple has announced a big expansion to its bug bounty program that will not only increase the initiative to cover all of Apple’s operating systems — from the Mac to the Apple Watch — but has also upped the maximum payout for the program and announced plans to open it up to all security researchers who want to participate.

Although Apple launched its bug bounty program back in 2016, it was not only late to the game in encouraging hackers to come forward with security vulnerabilities found in its products, but in true Apple style it only opened it up to a small list of elite researchers, by invitation only. It also offered a relatively paltry $200,000 maximum payout — a fraction of what hackers can get for disclosing bugs on the black market instead of reporting them to Apple. Further, while Apple’s iPhone and iPad were arguably the most targeted devices, the company’s choice to limit it to iOS only proved similarly unpopular with many security researchers, and left all of Apple’s other platforms considerably more vulnerable.

Bug Bounties Aren’t Just for iOS Any More

During a presentation titled Behind the Scenes of iOS and Mac Security at the Black Hat conference in Las Vegas, Apple’s head of security and engineering Ivan Krsti?, announced yesterday that Apple will be expanding its bug-hunting program to include not only iOS and macOS, but also tvOS, watchOS, and even iCloud, offering incentives to researchers who find vulnerabilities in virtually any of Apple’s platforms.

The release of a macOS bug bounty program is particularly important, after teen hacker Linuz Henze found a serious vulnerability in the macOS keychain earlier this year, but declined to share it with Apple as a protest against the company’s lack of a bug bounty for macOS. In short, because Apple wasn’t willing to pay him for the information, he wasn’t willing to share, but it wasn’t simply a selfish move on Henze’s part, but rather an effort to force Apple’s hand in expanding its bug bounty program — and it appears to have worked.

More Players and Bigger Incentives

Krsti? also announced that Apple is finally opening up its bug bounties to all security researchers who are willing to participate in the program, rather than the special club of insiders that it had previously invited to the table. This means that anybody who finds a serious security bug can potentially earn a bounty by disclosing it to Apple, and there doesn’t appear to even be any accreditation required.

For example, earlier this year an Arizona teen discovered a serious flaw in FaceTime, and although Apple did the right thing by providing a bug bounty for his discovery, this was an exception that may have only been made as result of the high-profile nature of the security flaw.

Apple will also be expanding the maximum payouts from the $200,000 previously offered to $1 million per exploit — depending of course on the nature and seriousness of the exploit. Zero-click kernel code executions with persistence will earn the maximum amounts, while vulnerabilities discovered in pre-release software will also get a 50 percent bonus payout on top of the normal amount in order to encourage researchers to hunt down security issues before an operating system is released to the general public.

Providing the Tools

Krsti? also confirmed reports earlier this week that Apple will be providing specialized “research fused” iPhones to security researchers to aid them in their efforts. While many researchers have been able to acquire these iPhones in the past through black market sources, the process has been both expensive and technically illegal.

However, Apple clearly recognizes that if it’s going to maintain world-class security in its products, it will be important that researchers have access to the necessary tools — plus it will help Apple to more effectively close the holes by which such devices leaked out of its supply chain in the past.

For obvious reasons, these specialized iPhones will only be given to trusted security researchers that have been vetted by Apple, although it won’t be an invitation-only program — anyone is welcome to apply, but Apple will be looking for those with a “track record of high-quality systems security research on any platform.” Notably, these “research fused” iPhones will also be more specialized than the “dev fused” iPhones that security researchers have had access to thus far, with setups designed expressly for tracking down security bugs, including ssh access, a root shell, and advanced debug capabilities.

What This All Means For You

For those who are security researchers, this obviously means much better support and potential payouts. There will now be incentives for finding bugs in any of Apple’s platforms, regardless of whether you’re an established security expert or just a grassroots hacker sitting at home.

More importantly, however, for everybody else this is going to help to promote even more secure hardware and software coming out of Apple. While Apple already makes some of the most secure devices available, we’ve still seen enough security flaws and exploits to prove that they have a long way to go, and hopefully the expansion of Apple’s bug bounty program is going to get more people working on tracking down and fixing the problems that do exist before they even see the light of day, which will be a huge win for consumers.