Apple announced that it will be expanding the scope of its bug bounty program and increasing its maximum possible reward payout to $1 million.
Ivan Krstić, Apple’s head of security engineering, made the announcement during a presentation on iOS and macOS security at Black Hat USA 2019. He revealed that Apple’s bug bounty program will begin recognizing vulnerabilities affecting macOS, tvOS and watchOS later this year. This decision will effectively expand the scope of the program, a framework which the tech giant originally unveiled at Black Hat USA back in 2016, beyond its original iOS-only purview.
As part of this announcement, Krstić stated that the tech giant would increases its highest bug bounty payout from $200,000 to $1 million for a hack of kernel on the iPhone without any user interaction. He went on to reveal that Apple would award $500,000 for a network attack with no user interaction as well as a 50 percent bonus for researchers who discover flaws in software prior to release, reported Forbes.
Krstić also announced that the tech giant will will give out several “dev” iPhones to vetted security researchers who are participating in the bug bounty programs. These devices will enable those individuals to access an iPhone’s underlying software and operating system in greater depth than they can on a consumer device. In so doing, these iPhones will enable researchers to uncover iOS security vulnerabilities that are harder to find.
Patrick Wardle, principal security researcher at Jamf, told Forbes in another report that these changes will help both Apple and its users:
If you’re a large, well-resourced company such as Apple, who claims to place a premium on security, having a bug-bounty program is a no brainer. Such a program highly encourages talented external security researchers to audit Apple’s hardware and software products, which will result in many vulnerabilities being uncovered and reported to Apple. End result: Apple’s products will become largely more secure. Sure this is a win for Apple, but ultimately this a huge win for Apple’s end users.
These changes reflect the utility which Apple has already derived from its bug bounty program. Per Krstić’s presentation, the tech giant received reports of 50 serious vulnerabilities during the first three years of its framework’s activity.