Apple is on the ‘bug’ bounty hunt
On August 4th, Apple’s head of security, Ivan Krstić, announced that the company will start paying ‘bug bounties’ to researchers who find and report weaknesses in Apple software. Krstić made the announcement on the last day of the Black Hat cybersecurity conference in Las Vegas.
Bounty programmes pay outside hackers who report bugs and flaws in a company’s software, and this will be the first time that Apple participates. Previously, those who found bugs were credited on Apple’s website rather than paid. This approach hasn’t gone without criticism, as a name on a website certainly cannot compete with tens of thousands of dollars.
Bug bounty programs are not new to tech and have been around as long as cybersecurity has been a necessity. They have long been used by companies such as Google, Yahoo and Facebook utilizes them; in fact, Facebook paid out almost $1 million in bug bounty rewards in 2015 alone.
Apple traditionally hasn’t been a big target for hackers due to the widespread belief that OS X is impenetrable by viruses. Additionally, PC users far outnumber those of Apple which meant a smaller pool for hackers to infiltrate. However, Apple users have become a bigger target in recent years as the company’s devices become more popular. This past March, Apple saw a big security breach with the ‘KeRanger” malware attack.
Users who downloaded an infected program found that their MacBooks were unusable until they paid one bitcoin (worth around $400) to a specific address. Although only about 6,500 users were affected by the ransomware, it was still a significant attack for Apple. Recently, the United States Federal Bureau of Investigation thrust Apple’s security weaknesses into the limelight when they allegedly paid a hacker $1 million to hack into an iPhone used by one of the assailants involved in the 2015 San Bernardino shooting.
Apple was criticised for not cooperating with the FBI in granting them access to the phone, but that incident also exposed undetected flaws in their systems. Many suggested that if they had a bounty initiative at the time, that particular bug would have been found long before the FBI could have exploited it. Some say that it was Apple’s arrogance that kept them from offering bounty programmes but the incident with the FBI looks to have humbled them a bit.
The programme will launch this coming autumn and Apple is offering up some pretty large bounties – upwards of $200,000. Of course, there is a sliding scale of what researchers can receive depending on what vulnerabilities they disclose. Some of the bounties include $25,000 for ways around Apple’s digital compartments and into its customers’ data, up to $50,000 for access to iCloud account data, $100,000 for weaknesses that allow for the extraction of confidential material, and finally upwards of $200,00 for vulnerabilities in the software that is needed to run Apple’s iOS. For the hackers out to do good, Apple has even stated that anyone who receives a bounty and then donates their rewards to charity will have their donation fully matched.
It should be known that access to Apple’s bug bounty programme is by invitation only, and is currently open to those who have previously made valuable security contributions to the company. However, they did say that they would not turn away anyone who provided beneficial disclosures in the future. It will be interesting to see the results of the programme and if Apple will expand it beyond the current invitation structure.
Concerned about the threat of bugs, malware or other cybersecurity issues? For high quality IT Support in London, look no further than Syntax IT Support.