Apple’s head of security engineering and architecture, Ivan Krstic, announced to Black Hat attendees today that Apple will begin offering cash bounties of up to $200,000 to researchers who discover vulnerabilities in its products.
Krstic’s announcement is part of Apple’s ongoing work to shed some of the secrecy around its security architecture and open up to the community of hackers, researchers and cryptographers who want to help improve its security.
Krstic’s talk at Black Hat, which also covered the security features of HomeKit, AutoUnlock, and iCloud Keychain, is somewhat unusual for Apple. A representative for the company hasn’t spoken at Black Hat in four years and Apple typically saves security announcements for its own conference, WWDC.
Apple executives’ thinking on the effectiveness of bug bounties has shifted, based in part on reports from the company’s own penetration testers who spend their days trying to crack the company’s products. Apple says that discovering vulnerabilities is becoming more difficult for in-house testers and external researchers alike, so it’s time to start offering more incentives for bug reports.
As the difficulty of finding and exploiting Apple has risen, the company has seen a need to incentivize researchers to do more in-depth work.
Apple’s invitation-only bug bounty program will be open only to researchers who have previously made valuable vulnerability disclosures to the company. Apple consulted with other companies on their bug bounty programs and decided that opening the bounty system to the public would bring a deluge of reports that might overshadow high-risk vulnerabilities.
However, Apple won’t turn away new researchers if they provide useful disclosures, and plans to slowly expand the program.
The program launches in September with five categories of risk and reward:
- Vulnerabilities in secure boot firmware components: Up to $200,000
- Vulnerabilities that allow extraction of confidential material from Secure Enclave: Up to $100,000
- Executions of arbitrary or malicious code with kernel privileges: Up to $50,000
- Access to iCloud account data on Apple servers: Up to $50,000
- Access from a sandboxed process to user data outside the sandbox: Up to $25,000
To be eligible for a reward, researchers will need to provide a proof-of-concept on the latest iOS and hardware. Although each category of vulnerability maxes out at the given rate, Apple will determine the exact reward amount based on several factors: the clarity of the vulnerability report; the novelty of the problem and the likelihood of user exposure; and the degree of user interaction necessary to exploit the vulnerability.
In an small twist, Apple plans to encourage researchers to donate their earnings to charity. If Apple approves of a researcher’s selected institution, it will match their donation  so a $200,000 reward could turn into a $400,000 donation.
