tech2 News StaffAug 09, 2019 11:00:45 IST
Apple has just raised the stakes for bug bounty hunters, aka white-hat hackers, who can find flaws in iPhones and Macs. Apple is said to be offering anything between $100,000 to $1,000,000 which is the largest bug bounty that's being offered currently by any tech company.
That's not all. This bug bounty program is open to all researchers from this fall. Earlier only Apple-invited bug bounty hunters were eligible to claim rewards.
Bug bounty programs are quite popular in the tech industry. It just makes sense for tech companies to invite ethical hackers to point out flaws for a cash reward, rather than being held ransom by a black hat hacker. Flaws sold on the black market can also be used for malicious means such as conducting surveillance.
According to a report by Forbes, the Apple bug bounty program is now applicable for iOS, macOS, tvOS as well as watchOS. These announcements were made at the Black Hat conference in Las Vegas by Apple's head of security engineering Ivan Krstić while he was speaking about iOS and macOS security. Krstić said that since the 2016 launch of the bug bounty program, around 50 bugs have been reported. While the iOS bug bounty program has been live from 2016, it's only now that one has been announced for macOS.
Apple says that the top prize of $1 mn will only be awarded to those who can find the vulnerability of the kernel with zero clicks required by the owner of the iPhone i.e. finding a hack where the hacker takes complete control of an iPhone without any user interaction. Around $500,000 will be awarded to those who can find a "network attack requiring no user interaction." Researchers finding flaws in software before it is released will get an additional 50 percent bonus over the reward money.
Many ethical hackers would refuse to inform Apple about macOS security flaws as there was no bug bounty program, according to a security researcher who spoke to TechCrunch. This would tempt many to sell these flaws on the black market at times. With such a high payout, macOS ethical hackers would be breathing a sigh of relief.
According to Forbes, the reason Apple is increasing the bug bounty awards (from a top reward of $200,000 to $1 mn now) is to avoid researchers selling the same information to governments for large amounts of money.
Apple is also expected to give bug bounty participants special 'developer devices' which would let ethical hackers deep dive into iOS and do things such as pausing the processor to look at what is going on with the data in memory. You will have to apply for the iOS Security Research Device program to get one of those devices though and it will come out only next year.