Apple Announces Bug Bounty At Black Hat With Maximum $200,000 Reward

msm1267 quotes a report from Threatpost: Apple closed out Black Hat today with a long-awaited announcement that next month it will launch a bug bounty. The Apple Security Bounty will be an invitation-only program, open to two dozen researchers at the outset, said Ivan Krstic, head of security engineering and architecture. The maximum payout is $200,000 and five classes of bugs in iOS and iCloud are in scope. Apple said the maximum reward will be $200,000 for vulnerabilities and proof-of-concept code in secure boot firmware components. It will also pay $100,000 for the extraction of confidential material protected by its Secure Enclave Processor, $50,000 for code execution flaws with kernel privileges or unauthorized access to iCloud account data on Apple servers, and $25,000 access from a sandboxed process to user data outside that sandbox.

Frist Psot

Sent from my iPhone.

Invitation-only

I don't think Apple understands the concept of the bug bounty program. Making it invitation-only will not persuade those who find bugs and have not been invited from sharing the details of the bug with you.

Re: Invitation-only

Yeah, because they would never think to just make a deal with one of the invitees to report it and get a cut of the money.

Re:Invitation-only

[Space+cowboy]

Yep, they ought to let you in to the "invite" group if you find something and they didn't "invite" you. For feck's sake Apple. Oh, wait, that's the 3rd paragraph in TFA.

Seriously, this is how Apple do it - they start a small project off to get experience, then they roll it out. I can't see the problem here...

Re:Invitation-only

The problem is, it's Apple. So literally nothing they do - including gifting everybody in the world with a gold-plated machine that magically prints money, cures all their ailments, and lets them live forever - will make some of the dumbasses on Slashdot happy.

Re:Invitation-only

If you're not invited, I think the conversation would be roughly like this:

1. "Hi Apple, I've found a zero day in iOS."
"Are you in our bug bounty program?"
"No. I suggest you invite me to join, otherwise I'm selling the exploit on the open market."
"Oh, okay. You can join."
2. ...
3. Profit.

Are any of the Invitees

From the FBI?

invitation only... $200,000 max

[fustakrakich]

In the meantime the uninvited enjoy much greater rewards exploiting the bugs

Re:invitation only... $200,000 max

And, does not cover MacOSX

Re:invitation only... $200,000 max

In the meantime the uninvited enjoy much greater rewards exploiting the bugs

The $200K is the bonus the get for telling Apple about the vulnerability after they've exploited it.

Re:invitation only... $200,000 max

It's an iOS only thing. Doesn't include MacOS, WatchOS or TVOS.

Re:invitation only... $200,000 max

[macs4all]

It's an iOS only thing. Doesn't include MacOS, WatchOS or TVOS.

I understand WatchOS and TVOS not being included, since they are, in large part, iOS; but not having a separate bounty for macOS seems kind of odd. Anyone care to elaborate on why that might be?

Re:invitation only... $200,000 max

[Kjella]

In the meantime the uninvited enjoy much greater rewards exploiting the bugs

So? You also make more money selling crack cocaine than burgers at McDonald's, bounties are so white hats can make a living for those who want to be legit security researchers. I really doubt there's many that flip-flop between white hat and black hat depending on who's the highest bidder.

Re:invitation only... $200,000 max

[ausekilis]

In the meantime the uninvited enjoy much greater rewards selling the bugs to the highest bidder

FTFY

Re:invitation only... $200,000 max

[Plumpaquatsch]

It's an iOS only thing. Doesn't include MacOS, WatchOS or TVOS.

I understand WatchOS and TVOS not being included, since they are, in large part, iOS; but not having a separate bounty for macOS seems kind of odd. Anyone care to elaborate on why that might be?

Well, ultimately all smallprintOS are just OS X [cue Steve Jobs at the introduction of the iPhone saying it will run OS X] with a (more or less) different UI-API suited to the device class they run on. And any bug found outside that UI will benefit the core OS X and thus all other smallprintOS.

Re:invitation only... $200,000 max

[...] bounties are so white hats can make a living [...]

So why did they announce it at Black Hat?

Re:invitation only... $200,000 max

[Plumpaquatsch]

In the meantime the uninvited enjoy much greater rewards selling the bugs to the highest bidder

FTFY

Of course no bug bounty program yet installed has prevented that from happening. At least not if the target was in any way interesting to bidders.

Re:invitation only... $200,000 max

In the meantime the uninvited enjoy much greater rewards exploiting the bugs

Or, if you read the TFA (yes, I'm new here), especially the third paragraph:

Krstic made it clear that the bounty isn’t rigidly closed and that researchers submitting vulnerability reports in any of the five eligible classes could also be considered for invitation.

Re:invitation only... $200,000 max

There is nothing inherently illegal about buying or selling security exploits. The federal government relies on this market.

Remember the San Bernadino iPhone? The FBI paid 1 mil for a single use exploit. A one time payment of 200k is chump change when you could just sit on it and strike a deal with the feds of a dozen countries for its continuous use.

Re:invitation only... $200,000 max

I really doubt there's many that flip-flop between white hat and black hat depending on who's the highest bidder.

GreyHat? There's a ton of those guys.

Re:invitation only... $200,000 max

[fustakrakich]

You also make more money selling crack cocaine than burgers at McDonald's

Exactly, that's why crack is available, delivered to your doorstep (soon by drone) 24/7. McDonalds sales amount to ~25 billion per year. Cocaine ~88 billion. Contraband is a bigger part of the economy than people like to admit. And those McDonalds employees could use a little supplemental income.

If you want your bounties to work, you can't go around putting conditions on them. Most people are going to take the path of least resistance. In fact, they will go to the highest bidder. And like the AC said above, why go the black hat conference when you are better off putting an ad in the paper? That's like trying to get the Afghan poppy grower to replace his crop with wheat. Where's the money in that? Maybe they don't want to advertise just how profitable the exploits are to the whole world? After all, it is extremely easy money for very little effort. Only the stupid and the excessively greedy are going to get caught, and they are the only ones you read about.

This is a game that the biggest sociopath is always going to win. So the question is how to deal with that without being one. I suppose using honeypots instead of bounties is a partial solution, but it only deals with one sector of the market, those who want to sell their exploits instead of using them. Still it is the better direction to take. It would do more to take the profit out of the business. Bounties do exactly the opposite.

Re: invitation only... $200,000 max

Because BlackHat has nothin to do with black hat hackers anymore. It's more like CES for lock-pickers.

Re: invitation only... $200,000 max

No, they didn't.

Re:invitation only... $200,000 max

[trparky]

That's basically the gist of it. If you look at the security bulletins that Apple publishes at here and compare the OS X El Capitan updates to the iOS updates more often than not the same fixes that made it into iOS are also part of the security release for OS X El Capitan.

iOS, WatchOS, and TVOS are all basically OS X under the hood except with a different GUI on top. Under the hood basically the same OS.

Re:invitation only... $200,000 max

[Plumpaquatsch]

There is nothing inherently illegal about buying or selling security exploits. The federal government relies on this market.

Remember the San Bernadino iPhone? The FBI paid 1 mil for a single use exploit. A one time payment of 200k is chump change when you could just sit on it and strike a deal with the feds of a dozen countries for its continuous use.

Yeah, you just have to hope that nobody else takes the $200k - or gives Apple the info for free.

Desperate

...to figure out how the FBI's hackers got into that phone, eh?

Funny

[Plumpaquatsch]

Funny how all the security experts at BlackHat cheered the announcment, while the nincompoops at Slashdot are blowing raspberries. Well, one group thinks they at least have a chance to make some money.

Re:Funny

Yeah, except that blackhat is the corporate conference where suits who don't know what they're talking about go to. I tend to think defcon will probably be more in the blowing raspberries at it, mostly because of the "invite only" portion. It'd be a sound proposal if not for that one stupid thing.

Re:Funny

[ThatsMyNick]

I am sure the feds at BlackHat were happy. Are you sure the ones that mattered were happy and cheering?

Re:Funny

[93+Escort+Wagon]

Yeah, except that blackhat is the corporate conference where suits who don't know what they're talking about go to.

I recently heard a unix sysadmin describe defcon as "the one the kids and people who can't get a job go to". It works both ways.

Re:Funny

They both have almost the same talks so content wise they're not drastically different. The big differences are blackhat tends to have training while defcon costs about 10% of what blackhat does. I prefer defcon as it's much less sanitized and has much more of a hacker mentality. Blackhat feels like going to my office for meetings. And yes, I have a job, one that has me well into the 6 figure salary range even. Blackhat feels like the conference you go to when you need somebody to hold your hand through everything and defcon for those who know what they're doing and realize the value of a dollar.

Re:Funny

[Plumpaquatsch]

I am sure the feds at BlackHat were happy. Are you sure the ones that mattered were happy and cheering?

You are confusing that with the cheers after that announcement: https://tech.slashdot.org/story/16/08/05/1455230/googles-open-yolo-project-will-remove-the-need-for-passwords-on-android

How much

for a gloryhole encounter?

They do that at Apple, you know.

Re: How much

Did you have a good experience with your participation?

Re: How much

It was fine, other than having to get my stomach pumped.

Too much man juice will do that to you.

Bug bounty payoffs cheaper than Employees

[Pitawg]

Why not pay people to debug your code prior to selling that crap to others?

"We won't wait until it is done before selling or we would make no money, and we cannot keep it secret that long either. We won't hire people to make good code, because we only hire people that do what little they are told, as fast and buggy as they can, so we can sell some more crap faster and have the buyers fix it themselves for no to low pay. We won't pay for work, only end results that we choose. And getting crap out there quick means it does not have to be secret as long."

Ohh.. yeah.. Gay security.

Just try to find a bug in our walled garden. You can't even use open source software on it without registering an account to download XQuartz.

Apple is homosexual, find a bug in their sweaty culo.

At the outset

Quote: "The Apple Security Bounty will be an invitation-only program, open to two dozen researchers at the outset..."

When you're talking about $200,000 a bug, you're talking 'real money' even for Apple. Limiting those involved limits the risk Apple takes until it can better understand the consequencies. Open to anyone, they might be so deluged with reports, they wouldn't have time to investigate them all.

Keep in mind that if you discover one of these bugs, all is not lost. You can report it through one of those two dozen and split the bounty.