Apple announces bug bounty program (opens in new tab)

(techcrunch.com)

344 pointsnos4A29y ago92 comments

92 comments

This is definitely a step in the right direction. They say they're worried that their bounties won't be enough to dissuade anyone only interested in money from disclosing vulnerabilities to malicious sources. Honestly I think that a lot of people who discover these vulnerabilities would rather be paid slightly less money by disclosing to Apple and have the rep/CV fodder of "I broke Apple" that comes with a responsible public disclosure, than going through secret channels to make slightly more money at the risk of potential legal trouble.

And anyways, 200 grand is an astoundingly high ceiling for bug bounties; highest I've ever seen paid out was a "meager" 20k by Uber, and I thought that was a lot of money for a bug program at the time.

jtl9999y ago

As mentioned the program is currently invite only currently

(ie, https://twitter.com/i0n1c/status/761349794510036992)

Jerry29y ago

From the article:

>However, Apple won’t turn away new researchers if they provide useful disclosures, and plans to slowly expand the program.

I'm reading this as: if you find a serious bug and report it, you'll get the money.

Godel_unicode9y ago

I haven't read the article, but I was at the announcement and your take is exactly how it was clarified in the room.

If you do good work and report it, you'll get paid accordingly.

1 more reply

bjterry9y ago

I read that as: if you find a bug and report it, you may get invited into the formal bug bounty program (but may not get a payout on the first one).

No idea if that's right though.

1 more reply

jim-greer9y ago

I imagine if you find a good bug and aren't on their list, you could bring in someone who is to help out...

1 more reply

hurricaneSlider9y ago

I'm a bit surprised, because you'd think that they'd have been doing this already.

MBCook9y ago

Apple has slowly been opening up, they used to be such an incredibly secretive company under Jobs there's no way this would've ever happened.

Whoops. I just said "Steve Jobs never would've let this happen" line. Oh well.

They're letting in third-party keyboards another extensions, small additions to Siri, releasing actual software on android, it's not too surprising that they might be willing to do this now. Been very open on swift.

jmspring9y ago

There was a time if you had issues with hardware, and email to Steve Jobs actually resulted in a customer escalation. I had one of the 15" MBPs that had the Nvidia chip issue, but never experienced that. But had 3 other problems -- all handled (first time for me with Mac hardware). A polite email on a friday night after I did hit my 4th hardware issue, next trip to the apple store was for a "in kind" based on purchase price replacement.

Apple Software has been suffering for awhile. And where software was involved, he certainly did call teams out for failures, but we also ended up with the path iTunes is on under his watch.

That said, I don't know now, but at a time, an email to Jobs did make things happen.

2 more replies

robzyb9y ago

Just for the sake of discussion: Are they opening up because they need to do this to survive? And they need to do this to survive because their products aren't as good as they used to be and they can't live in an enclosed environment?

1 more reply

bpchaps9y ago

I had the.. pleasure.. of speaking to Comcast's CISO after doing a security risk exposure disclosure. Before talking to her, there were mentions of bug bounties, etc (neat). After talking to her, though, she said in a hand-wavy way that:

1. The exposure wasn't a "bug", so it's not worth a bug bounty.

2. The amount of effort it would take to start a bug bounty program would be far too cost prohibitive. In other words, "Everything's broken. We know it. If we start paying people to find what's broken, we'd go bankrupt." Heh.

So yeah. Don't be surprised.

abalone9y ago

That is Comcast's reasoning, not Apple's. As the article notes, it's the opposite problem: Apple's internal team is running out of vulns to find.

2 more replies

jakelarkin9y ago

I suspect for large companies most bug bounty programs are net economic positives, especially weighed against cost of probable breaches or the comparable spend required on in-house engineering to find all the bugs otherwise cheaply and quickly identified by the bounty. The problem is social/political for senior executives to accept that discussion of flaws in the open is a good thing.

mhurron9y ago

The popularity of bug bounty programs is pretty new. Apple is often behind on things that seem to be obvious to everyone else.

sjtgraham9y ago

I'm not familiar with the market but these seem low when you consider:

- The effort required to find them

- The damage that can be inflicted on Apple in terms of brand goodwill and the subsequent loss of sales, e.g. The SEP implications for ApplePay

- The damage that can be inflicted on users and 3rd parties, e.g. imagine the amount of cash banks would be on the hook for if someone managed to say write a worm that used iMessage/SMS to propagate without user knowledge (e.g. with the recent TIFF vulnerability), and transfer funds from the user's bank account? Or made calls to the baseband to dial shady $10/minute premium rate numbers in some banana republic at 3AM every night?

- The amount of money TLAs and black market actors allegedly pay per the TC article.

- How much money Apple actually has, especially all the offshore cash that can't be repatriated to the US without incurring exorbitant capital gains. These bug bounties could be be remitted from any Apple subsidiary.

- Large bug bounties would de facto end jailbreaking

- Knowing Apple there would be endless NDAs and restrictive covenants before any payout is made.

IMO with all this considered the max payouts seem irrationally paltry.

eridius9y ago

As tptacek loves to point out, the point of bug bounty programs is not to compete on price with the black market. And in fact, according to the article, the $200k Apple is offering is one of the highest for corporate bug bounty programs already.

tptacek9y ago

That $200k boot ROM bounty might be the single instance I know of where a stated bounty value might be lower than the actual market for the vulnerability. If you were slick, you might make more from that bug than Apple would pay with the bounty. That is a bug class with a current, existing, liquid market.

The rest of them seem more than reasonable.

None of them are adequate compensation for the full-time work of someone who can find those kinds of bugs. Nor are they meant to be. If you can, for instance, find a bug that allows you to violate the integrity of the SEP, you have a market value as a consultant significantly higher than that $100k bug bounty --- which will become apparent pretty quickly after Apple publicly thanks you for submitting the bug, as they've promised to do.

dharmon9y ago

No doubt there's going to be some low-hanging fruit (speaking relative to the experience of the participants) that is going to get scooped up quickly, so why would they open the program at something higher? Just high enough to entice the experts to pick off the "easy" ones seems the intelligent thing to do.

When they go a year or two with no bugs found maybe you'll see them start upping the bid.

honkhonkpants9y ago

I wonder if they are backfilling rewards to any of the external researchers who have been doing all of Apple's security research for the last decade. Just as an example, a single researcher from Google is credited with 11 separate vulnerabilities that would qualify for the $50k reward, in a single patchlevel of OS X (and the same person had five such credits in the patchlevel prior to that!). That's almost a million bucks worth of rewards in only half a year of disclosures.

eriknstr9y ago

I don't think it would make economical sense for Apple to pay for something that they already got for free.

honkhonkpants9y ago

Sure, but it would be a gesture of goodwill and a way of making amends for years of freeloading.

1 more reply

tptacek9y ago

Among the many reasons this is very unlikely to happen, the bounty values we see now account for the increased difficulty of finding these kinds of vulnerabilities in iOS since its earliest releases. This is an OS that was designed as a platform for secure applications --- that's part of the premise of apps on the Apple phone --- and it's gotten much harder to find and exploit vulnerabilities on the platform since that release.

godzillabrennus9y ago

Next they need to offer a bounty program for usability issues. iOS needs a lot of love since Forstall got squeezed out.

nikofeyn9y ago

iOS? what about mac os x? it's completely stagnated if not gotten worse from a usability standpoint.

nxzero9y ago

Wonder if they'll include their servers too; appears they're only doing the most recently released OS and hardware.

et-al9y ago

Towards the bottom of the article they note this:

  The program launches in September with five categories of risk and reward:

  Vulnerabilities in secure boot firmware components: Up to $200,000
  Vulnerabilities that allow extraction of confidential material from Secure Enclave: Up to $100,000
  Executions of arbitrary or malicious code with kernel privileges: Up to $50,000
  Access to iCloud account data on Apple servers: Up to $50,000
  Access from a sandboxed process to user data outside the sandbox: Up to $20,000

alfanick9y ago

I've once found security bug on OS X/Mac (low chance of occuring, however gives complete access), reported complete steps to reproduce and solutions - received moreless copy-pasted response - two years, two OS X versions later - the bug is still there, even though it looks like 5 minutes fix...

yorwba9y ago

Report it again, take the bounty?

alfanick9y ago

the problem with current state of the bounty program is that it's invitation-only (i'm no security researcher) and ios-centered :/

skizm9y ago

The question is will they pay $1,000,000 for an exploit that unlocks an iphone?

http://www.reuters.com/article/us-apple-encryption-idUSKCN0X...

biot9y ago

The article already addresses this:

  While $200,000 is certainly a sizable reward — one of the
  highest offered in corporate bug bounty programs — it won’t
  beat the payouts researchers can earn from law enforcement or
  the black market. The FBI reportedly paid nearly $1 million
  for the exploit it used to break into an iPhone used by Syed
  Farook, one of the individuals involved in the San Bernardino
  shooting last December.

Interestingly, for altruistic / independently wealthy researchers there's an incentive to report to Apple:

  In an unusual twist, Apple plans to encourage researchers to
  donate their earnings to charity. If Apple approves of a
  researcher’s selected institution, it will match their donation —
  so a $200,000 reward could turn into a $400,000 donation.

et-al9y ago

Smart move. That's not too shabby of a tax deduction.

1 more reply

skizm9y ago

Yea, I was just kidding. Also, selling the exploit to Apple is more of a guarantee than waiting around to see if the government needs it (assuming you want to stay legal).

danjoc9y ago

Odd. That's right around the same price zerodium is willing to pay.

https://www.zerodium.com/ios9.html

Ever notice, you never see Superman and Clark Kent in the same room? ;)

nxzero9y ago

$200k appears to be the maximum payout.

pepijndevos9y ago

Am I reading it correctly that this is only iOS, and not other Apple software?

0xmohit9y ago

Charlie Miller must be happy.

https://twitter.com/0xcharlie

jordache9y ago

how about you fix bugs that are already well known, like how the sd reader dies after a while in el cap?

amenghra9y ago

That has nothing to do with security.

jrcii9y ago

Finally, I'm going to be rich!

hoodoof9y ago

I wish Apple would just fix the myriad ordinary bugs, let alone focus on security.

j / k navigate · click thread line to collapse

92 comments

joebergeron9y ago

jtl9999y ago

As mentioned the program is currently invite only currently

(ie, https://twitter.com/i0n1c/status/761349794510036992)

Jerry29y ago

From the article:

>However, Apple won’t turn away new researchers if they provide useful disclosures, and plans to slowly expand the program.

I'm reading this as: if you find a serious bug and report it, you'll get the money.

Godel_unicode9y ago

I haven't read the article, but I was at the announcement and your take is exactly how it was clarified in the room.

If you do good work and report it, you'll get paid accordingly.

1 more reply

bjterry9y ago

I read that as: if you find a bug and report it, you may get invited into the formal bug bounty program (but may not get a payout on the first one).

No idea if that's right though.

1 more reply

jim-greer9y ago

I imagine if you find a good bug and aren't on their list, you could bring in someone who is to help out...

1 more reply

hurricaneSlider9y ago

I'm a bit surprised, because you'd think that they'd have been doing this already.

MBCook9y ago

Apple has slowly been opening up, they used to be such an incredibly secretive company under Jobs there's no way this would've ever happened.

Whoops. I just said "Steve Jobs never would've let this happen" line. Oh well.

jmspring9y ago

Apple Software has been suffering for awhile. And where software was involved, he certainly did call teams out for failures, but we also ended up with the path iTunes is on under his watch.

That said, I don't know now, but at a time, an email to Jobs did make things happen.

2 more replies

robzyb9y ago

1 more reply

bpchaps9y ago

1. The exposure wasn't a "bug", so it's not worth a bug bounty.

So yeah. Don't be surprised.

abalone9y ago

That is Comcast's reasoning, not Apple's. As the article notes, it's the opposite problem: Apple's internal team is running out of vulns to find.

2 more replies

jakelarkin9y ago

mhurron9y ago

The popularity of bug bounty programs is pretty new. Apple is often behind on things that seem to be obvious to everyone else.

sjtgraham9y ago

I'm not familiar with the market but these seem low when you consider:

- The effort required to find them

- The damage that can be inflicted on Apple in terms of brand goodwill and the subsequent loss of sales, e.g. The SEP implications for ApplePay

- The amount of money TLAs and black market actors allegedly pay per the TC article.

- Large bug bounties would de facto end jailbreaking

- Knowing Apple there would be endless NDAs and restrictive covenants before any payout is made.

IMO with all this considered the max payouts seem irrationally paltry.

eridius9y ago

tptacek9y ago

The rest of them seem more than reasonable.

dharmon9y ago

When they go a year or two with no bugs found maybe you'll see them start upping the bid.

honkhonkpants9y ago

eriknstr9y ago

I don't think it would make economical sense for Apple to pay for something that they already got for free.

honkhonkpants9y ago

Sure, but it would be a gesture of goodwill and a way of making amends for years of freeloading.

1 more reply

tptacek9y ago

godzillabrennus9y ago

Next they need to offer a bounty program for usability issues. iOS needs a lot of love since Forstall got squeezed out.

nikofeyn9y ago

iOS? what about mac os x? it's completely stagnated if not gotten worse from a usability standpoint.

nxzero9y ago

Wonder if they'll include their servers too; appears they're only doing the most recently released OS and hardware.

et-al9y ago

Towards the bottom of the article they note this:

  The program launches in September with five categories of risk and reward:

  Vulnerabilities in secure boot firmware components: Up to $200,000
  Vulnerabilities that allow extraction of confidential material from Secure Enclave: Up to $100,000
  Executions of arbitrary or malicious code with kernel privileges: Up to $50,000
  Access to iCloud account data on Apple servers: Up to $50,000
  Access from a sandboxed process to user data outside the sandbox: Up to $20,000

alfanick9y ago

yorwba9y ago

Report it again, take the bounty?

alfanick9y ago

the problem with current state of the bounty program is that it's invitation-only (i'm no security researcher) and ios-centered :/

skizm9y ago

The question is will they pay $1,000,000 for an exploit that unlocks an iphone?

http://www.reuters.com/article/us-apple-encryption-idUSKCN0X...

biot9y ago

The article already addresses this:

  While $200,000 is certainly a sizable reward — one of the
  highest offered in corporate bug bounty programs — it won’t
  beat the payouts researchers can earn from law enforcement or
  the black market. The FBI reportedly paid nearly $1 million
  for the exploit it used to break into an iPhone used by Syed
  Farook, one of the individuals involved in the San Bernardino
  shooting last December.

Interestingly, for altruistic / independently wealthy researchers there's an incentive to report to Apple:

  In an unusual twist, Apple plans to encourage researchers to
  donate their earnings to charity. If Apple approves of a
  researcher’s selected institution, it will match their donation —
  so a $200,000 reward could turn into a $400,000 donation.

et-al9y ago

Smart move. That's not too shabby of a tax deduction.

1 more reply

skizm9y ago

Yea, I was just kidding. Also, selling the exploit to Apple is more of a guarantee than waiting around to see if the government needs it (assuming you want to stay legal).

danjoc9y ago

Odd. That's right around the same price zerodium is willing to pay.

https://www.zerodium.com/ios9.html

Ever notice, you never see Superman and Clark Kent in the same room? ;)

nxzero9y ago

$200k appears to be the maximum payout.

pepijndevos9y ago

Am I reading it correctly that this is only iOS, and not other Apple software?

0xmohit9y ago

Charlie Miller must be happy.

https://twitter.com/0xcharlie

jordache9y ago