Apple made some major announcements at the Black Hat cybersecurity conference 2019 which concluded yesterday, in Las Vegas. Apple’s head of security engineering, Ivan Krstić announced that anybody who can hack an iPhone will get up to $1 million reward. They have also released a new payout system for security researchers, depending on the type of vulnerability found by them.
Krstić also unveiled Apple’s new iOS Security Research Device program, which will be out next year. As part of the program, qualified security researchers will be provided with special iPhones to find out flaws in them.
Apple expands its Security bug Bounty program
Apple first launched its bug bounty program, in 2016. The previous bug bounty program consisted of $200,000 and included only those involved in Apple’s invite-only bug bounty program.
Yesterday, Apple announced that, per Apple’s new security bug bounty program, anyone who can hack an iPhone will receive up to $1 million. Also, the security bounty program has been opened to all security researchers. It will include all of Apple’s platforms, including iCloud, iOS, tvOS, iPadOS, watchOS, and macOS.
https://twitter.com/mikebdotorg/status/1159557138580004864
Apple has also released a new payout system with the payouts starting from $100,000 for finding a bug that allows lock screen bypass or unauthorized access to iCloud. Researchers can also gain up to 50% bonus if they find any bugs in a pre-released software. The top payout is booked for hackers who can discover a zero-click kernel code execution with persistence.
https://twitter.com/Manzipatty/status/1159680310348537861
https://twitter.com/sdotknight/status/1159807563036340224
https://twitter.com/kennwhite/status/1159705960061030400
Unlock access to the largest independent learning library in Tech for FREE!
Get unlimited access to 7500+ expert-authored eBooks and video courses covering every tech area you can think of.
Renews at €18.99/month. Cancel anytime
Apple’s new iOS Security Research Device program
Apple gave out details about its new iOS Security Research Device program, which will be out next year. In this program, Apple will be supplying special iPhones to security researchers to help them find security flaws in iOS. However, this the iOS security research device program is available only to researchers who have great experience in security research on any platforms.
https://twitter.com/0x30n/status/1159553364159414272
The special devices will be different from the regular iPhones, as it will come with ssh, a root shell, and advanced debug capabilities to ensure identification of bugs. “This is an unprecedented fully Apple supported iOS security research platform,” said Krstić at the conference.
https://twitter.com/skbakken/status/1159556808198852608
https://twitter.com/marconielsen/status/1159584902339276801
Though many users have praised Apple for the great money and initiating the security research device program, few also opine that this is not so huge. Given the kind of knowledge and expertise required to find these bugs, there are suggestions that Apple should consider paying these hackers more as they are the ones saving Apple from a lot of negative P.R. Also, they found a bug, which even the Apple employees are sometimes unable to find.
A user on Hacker News comments, “1M is a lot of money to me, a regular person, but when you consider that top security engineering talent could be making north of 500k in total compensation, 1M suddenly doesn’t seem all that impressive. It’s a good bet to make on their risk. Imagine paying a mere 1M to avoid a public fiasco where all of your users get owned. This just seems like good business. They could make it 5M, and it would still be worth it to them in the medium to long term.”
Another user says, “I'm surprised by how cheap the vulnerabilities market is. A good exploit, against a popular product like Chrome, selling for 100k or even $1M may sound like a lot, but it's really pennies for any top software firm. And $1M is still a lot for a vulnerability by market prices.”
Another comment on Hacker News reads, “When I read the article, my first reaction was "Only a million?" Considering the importance of a bug like this to Apple's business and the size of their cash hoard, this sounds like they don't actually care that much.”
To know about other highlights at the Black Hat cybersecurity conference 2019, head over to our full coverage.
Apple Card, iPhone’s new payment system, is now available for select users
Apple plans to suspend Siri response grading process due to privacy issues
Data Transfer Project: Now Apple joins Google, Facebook, Microsoft and Twitter to make data sharing seamless
United States
United Kingdom
India
Germany
France
Canada
Russia
Spain
Brazil
Australia
Argentina
Austria
Belgium
Bulgaria
Chile
Colombia
Cyprus
Czechia
Denmark
Ecuador
Egypt
Estonia
Finland
Greece
Hungary
Indonesia
Ireland
Italy
Japan
Latvia
Lithuania
Luxembourg
Malaysia
Malta
Mexico
Netherlands
New Zealand
Norway
Philippines
Poland
Portugal
Romania
Singapore
Slovakia
Slovenia
South Africa
South Korea
Sweden
Switzerland
Taiwan
Thailand
Turkey
Ukraine
