Apple Announces Bug Bounty At Black Hat With Maximum $200,000 Reward

msm1267 quotes a report from Threatpost: Apple closed out Black Hat today with a long-awaited announcement that next month it will launch a bug bounty. The Apple Security Bounty will be an invitation-only program, open to two dozen researchers at the outset, said Ivan Krstic, head of security engineering and architecture. The maximum payout is $200,000 and five classes of bugs in iOS and iCloud are in scope. Apple said the maximum reward will be $200,000 for vulnerabilities and proof-of-concept code in secure boot firmware components. It will also pay $100,000 for the extraction of confidential material protected by its Secure Enclave Processor, $50,000 for code execution flaws with kernel privileges or unauthorized access to iCloud account data on Apple servers, and $25,000 access from a sandboxed process to user data outside that sandbox.

Invitation-only

I don't think Apple understands the concept of the bug bounty program. Making it invitation-only will not persuade those who find bugs and have not been invited from sharing the details of the bug with you.

Re:Invitation-only

[Space+cowboy]

Yep, they ought to let you in to the "invite" group if you find something and they didn't "invite" you. For feck's sake Apple. Oh, wait, that's the 3rd paragraph in TFA.

Seriously, this is how Apple do it - they start a small project off to get experience, then they roll it out. I can't see the problem here...

invitation only... $200,000 max

[fustakrakich]

In the meantime the uninvited enjoy much greater rewards exploiting the bugs

Re:invitation only... $200,000 max

[macs4all]

It's an iOS only thing. Doesn't include MacOS, WatchOS or TVOS.

I understand WatchOS and TVOS not being included, since they are, in large part, iOS; but not having a separate bounty for macOS seems kind of odd. Anyone care to elaborate on why that might be?

Re:invitation only... $200,000 max

[Kjella]

In the meantime the uninvited enjoy much greater rewards exploiting the bugs

So? You also make more money selling crack cocaine than burgers at McDonald's, bounties are so white hats can make a living for those who want to be legit security researchers. I really doubt there's many that flip-flop between white hat and black hat depending on who's the highest bidder.

Re:invitation only... $200,000 max

[Plumpaquatsch]

It's an iOS only thing. Doesn't include MacOS, WatchOS or TVOS.

I understand WatchOS and TVOS not being included, since they are, in large part, iOS; but not having a separate bounty for macOS seems kind of odd. Anyone care to elaborate on why that might be?

Well, ultimately all smallprintOS are just OS X [cue Steve Jobs at the introduction of the iPhone saying it will run OS X] with a (more or less) different UI-API suited to the device class they run on. And any bug found outside that UI will benefit the core OS X and thus all other smallprintOS.

Re:invitation only... $200,000 max

[fustakrakich]

You also make more money selling crack cocaine than burgers at McDonald's

Exactly, that's why crack is available, delivered to your doorstep (soon by drone) 24/7. McDonalds sales amount to ~25 billion per year. Cocaine ~88 billion. Contraband is a bigger part of the economy than people like to admit. And those McDonalds employees could use a little supplemental income.

If you want your bounties to work, you can't go around putting conditions on them. Most people are going to take the path of least resistance. In fact, they will go to the highest bidder. And like the AC said above, why go the black hat conference when you are better off putting an ad in the paper? That's like trying to get the Afghan poppy grower to replace his crop with wheat. Where's the money in that? Maybe they don't want to advertise just how profitable the exploits are to the whole world? After all, it is extremely easy money for very little effort. Only the stupid and the excessively greedy are going to get caught, and they are the only ones you read about.

This is a game that the biggest sociopath is always going to win. So the question is how to deal with that without being one. I suppose using honeypots instead of bounties is a partial solution, but it only deals with one sector of the market, those who want to sell their exploits instead of using them. Still it is the better direction to take. It would do more to take the profit out of the business. Bounties do exactly the opposite.