Apple announced last Thursday that it was preparing to initiate its first ever bug bounty program, which will begin in September. Head of Apple security engineering and architecture Ivan Kristic revealed the program during his demonstration at the Black Hat security conference that took place in Las Vegas last week.
The project will allegedly be more focused on high level service and quality over speed and quantity. Those hoping to participate in the program will have to wait for invitations at first, as the program will be limited to a very exclusive set of researchers.
That said, Apple does plan to work with a wide variety of other researchers on a case-by-case basis, and even the exclusive program is set to expand as time goes on.
According to Chenxi Wang, chief strategy officer at Twistlock, the bug bounty program “signifies how important it is to have community-based security versus an exclusive in-house security program.”
“To their credit they have done a great job in the quality and security of their software,” she continued, “but even Apple can’t do it alone. They need the collective brain power of the hacking community to help.”
The bug bounty program will offer the bounties for which the program is named. Hackers can receive up to $200,000 for any vulnerabilities they find in boot firmware components, $100,000 for any flaws they isolate that allow for the extraction of confidential material from the Secure Enclave Processor, up to $50,000 for finding vulnerabilities that could allow hackers to execute arbitrary code with kernel privileges or that could allow unauthorized access to iCloud account data on Apple servers, and up to $25,000 for finding flaws that would make it possible for hackers to access a sandboxed process to user data outside that sandbox.
Apple added that if hackers were to find vulnerabilities outside of these categories, they would potentially still be eligible for a large cash reward.
“With programs like this, there are two approaches,” explained Rob Enderle, principal analyst at the Enderle Group. “One is to actually find problems and fix them; the other is to use the program to create the impression you’re secure by providing big bounties to do things you believe can’t actually be done.”
According to Enderle, Apple’s bounty program “appears to be the latter case, which is why it’s both so restrictive and has such seemingly large bounties… This appears mostly targeted at undoing the damage the FBI did to Apple’s security reputation when they broke into an iPhone some time ago.”
According to program manager at Stratecast/Frost & Sullivan Michael Jude, when the government successfully hacked into terrorist Syed Farook’s iPhone earlier this year, “it showed that Apple can be breached.”
“Apple’s now in an arms war with the government,” Jude explained. “They need to improve security quickly and show people they’re taking it seriously. By engaging independents, Apple can provide an even stronger incentive to work within its community.”
Whether Apple’s bug bounty program is a success will depend on a variety of factors, from the level of talent that the bounties attract to the level of sophistication of the security software on the operating system itself.