Apple bug bounty expands to MacOS, offers $1 million iOS reward

LAS VEGAS -- Apple's original bug bounty program was first announced at Black Hat 2016, and now the company has announced expansions of the program on iOS as well as the addition of MacOS to the program.

Ivan Krstić, head of security engineering and architecture at Apple, held the big news for the end of his talk at Black Hat 2019. Krstić began by talking about security improvements including secure boot for MacOS, which will require devices using the T2 security chip, EFI exploit mitigations -- including for Meltdown and Spectre, and improvements to iOS Kernel Integrity Protection.

Later, Krstić announced that Apple would be expanding its bug bounty program to include all Apple platforms, including iOS, tvOS, watchOS and MacOS. Previously, the program included iOS and iCloud only since being announced at Black Hat 2016.

"Even though we've focused on only the most high-impact vulnerabilities and invited only a very small number of researchers, we received around 50 very high value reports," Krstić said. "But we'd like to take this further. I'm happy to announce the Apple Security Program will be open to all researchers in the fall."

Additionally, Apple will provide some researchers with iOS devices similar to those used by Apple as development models; Krstić admitted that not having access to those devices was a barrier to entry for researchers seeking to participate in the Apple bug bounty.

The iOS Security Research Device program will begin in 2020 and be by application only. Krstić was somewhat vague about the requirements for those applying but made it clear Apple would consider anyone with "a track record of high quality systems security research on any platform."

Once accepted into the program, Apple would provide the researcher with iOS devices that are "using a new researcher fusing that is neither production nor development" and supports "SSH, a root shell and advanced debug capabilities."

"We wanted to attract those researchers who have been focusing their time on other platforms. Today, they tell us that they look at our platforms and want to do research but the bar is too high. They would first have to have full chain just to boostrap their research," Krstić said. "We also feel like existing iOS researchers should not have to hold back chains to be able to continue their research." 

The Apple bug bounty program categories have been revised and expanded, as well. Krstić only revealed the high-level categories, including attacks via physical access, attacks via user-installed apps, networks attacks requiring interaction and network attacks requiring no interaction. The payouts within these categories start at $100,000 and go up to $500,000 for "zero-click access to high-value user data."

"We're going one step further," Krstić said. "In certain pre-release builds, like beta release builds that we make available to our developers -- that we designate -- any vulnerabilities that are discovered in those pre-release builds which were not introduced prior and were reported to us before that operating system goes out to customers, we will offer a 50% bonus on top of all of those payouts."

After announcing the bonus, Krstić announced that the bounty for a zero-click iOS exploit with root and persistence would be $1 million, so it is unclear if this is included in the bonus offer.

There will be an additional 50% payout for vulnerabilities found in "certain pre-release builds" such as beta and developer preview software.

Casey Ellis, founder and CTO of Bugcrowd, said Apple's moves show a "normalization'' occurring around bug bounties and payouts for the most dangerous vulnerabilities. "Apple raising a reward to a $1 million is because they're mature as a company but also because they're a highly impactful target," he said.

The addition of MacOS to the Apple bug bounty program became a hot topic in February when 18-year-old German researcher Linus Henze disclosed a zero-day vulnerability, which could allow an attacker to extract passwords, private keys and tokens from the local Keychain password manager. Henze disclosed the MacOS zero-day vulnerability without first notifying Apple in protest of the Apple bug bounty not including vulnerabilities found in MacOS.