Apple Launches Bug Bounty With Rewards of Up to $200K

LAS VEGAS—Ivan Krstic, head of Apple Security Engineering and Architecture, was a surprise late addition to the Black Hat USA conference here Aug. 4 in a session in which he detailed upcoming security features in iOS 10. At the end of the talk, Krstic made an unexpected announcement—an Apple bug bounty program.

“I have some news. I’m very happy to say that Apple today is announcing an Apple security bug bounty program,” Krstic said as the capacity crowd erupted into spontaneous applause.

Over the years, Apple has benefited from the feedback of security researchers, Krstic said, but it is increasingly difficult to find the most severe vulnerabilities. To that end, the Apple security bug program will reward researchers who share critical vulnerabilities with Apple. Krstic added that Apple is making it a top priority to resolve issues as quickly as possible as well as provide public recognition for researchers.

The bug bounty program isn’t yet comprehensive; rather in its initial phase it covers a subset of potential vulnerabilities. Among the categories are secure boot firmware components, which is also the top reward at $200,000 per bug. A flaw that enables execution of arbitrary code with kernel privileges will earn a researcher up to $50,000, as will the unauthorized access to iCloud account data on Apple’s servers. Finally, Apple will pay up to $25,000 for vulnerabilities that will enable from a sandboxed process access to users’ data outside of that sandbox.

“We believe these payment amounts are commensurate with the level of difficulty in attacking some of these systems,” Krstic said.

If researchers choose to donate their rewards to charity, Apple will match the donation. Krstic noted that the listed amounts are the maximum payouts from Apple, with the precise amount determined after Apple’s engineering team reviews a submitted vulnerability. A security researcher will need to clearly document the flaw with a proof of concept and prove that it can work on the latest version of iOS. Additionally, Krstic’s team will look to see how much user interaction is required for a vulnerability to actually work.

“We know there are important vulnerabilities elsewhere, but this is where we are starting today,” he said.

The program goes live in September and will initially be a private invite-only effort. Krstic said that he will be inviting a “few dozen” top researchers to participate in the program.

“It’s not meant to be an exclusive club,” he said. “So if someone outside of the program brings us a bug that would be covered by the program, we will welcome that.”

Krstic’s talk at Black Hat is the first time an Apple employee has made a presentation about Apple security at the security conference since 2012. That talk was widely criticized, as the speaker, Apple Platform Security Manager Dallas De Atley, declined to take any questions, which is something that is generally expected from all Black Hat speakers. Krstic did take questions, but he only answered questions that pertained to the details he provided on Apple security during his talk.

The first question he got was about the influence of the FBI’s efforts to unlock the iPhone on Apple’s iOS 10 security architecture.

“I’m an engineer. I’m happy to answer technical questions about what I’ve covered today,” Krstic responded.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.