Apple have expanded its bug bounty program to all researchers to US$1 million top prize to turn black hats white.

Apple is taking bug bounties to a new level — a level that some say could spur an arms race to acquire zero-day vulnerabilities between the good guys and bad guys.

Bug bounty’s have been around for a long time in the world of IT, where a generation is three to five years or maybe less.

It was 1995 when Netscape launched the first, offering cash rewards to those who found security bugs in their Netscape Navigator 2.0 Beta. That’s pre-Facebook — by nine years. Pre-Google by three years. Pre-iPhone by more than a decade.

Apple’s new bug bounty program

The company has been notorious not only for its walled-off ecosystem, but also for denying even most white hat hackers access to the internal workings of its operating systems. It has historically worked with hand-picked, invite-only security researchers.

Not anymore. At the recent Black Hat security conference in Las Vegas, Ivan Krstić, Apple’s head of security engineering and architecture, announced an overhaul of Apple’s bug bounty program that massively sweetens the payouts — the top award will jump from $200,000 to $1 million — and also opens it up to all researchers.

Beyond that, it expands the program, which began about three years ago and applicable only to iOS, to include macOS, watchOS, tvOS, iPadOS, and iCloud, plus the devices that run on those operating systems.

Who wants to be a millionaire?

The $1 million award is reserved for disclosure of a vulnerability that would allow a remote attack that can gain total, persistent control of a user’s computer without any action by the victim, such as clicking on a malicious link.

Among the vulnerabilities that will yield less – but still significant – awards:

  • Lock screen bypass: US$100,000
  • Unauthorized access to high-value user data: US$100,000
  • Kernel code execution: US$150,000
  • One-click unauthorised access to high-value user data: US$150,000
  • User data extraction: US$250,000
  • CPU side-channel attack on high-value data: US$250,000
  • One-click kernel code execution: US$250,000
  • Zero-click radio to kernel with physical proximity network attack: US$250,000
  • Zero-click access to high-value user data: US$500,000

A bidding war

What also seems to be happening is a bit of a bidding war. Companies like Apple and Microsoft knew that even well-intentioned researchers could be tempted by what criminal hackers or hostile nation-states might pay for exploits nobody else knows about.

Bounties in the range of US$150,000 to US$1 million are more likely to persuade them to play for the good guys.

John Kozyrakis, research engineer at Synopsys said: “It is so teams of people that currently look for bugs will sell to Apple directly instead of middlemen. Apple is just trying to change the incentives so that their research goes to Apple instead of the NSA or foreign governments through middlemen.”

The need for a bug bounty program

One of the reasons hacking is a relatively easy way for criminals to make money is because of so many connected products in the market with bugs or other defects that weren’t found and fixed during development.

But, experts say, no matter how rigorous security testing is during the software development life cycle (SDLC), the need for bug bounties remains.

As Rehan Bashir, managing consultant, Synopsys, put it: “A company as big as Apple already hires the best-of-the-best developers and security researchers, and even then a teenager was able to find a bug in the iPhone FaceTime application, which lets users hear the audio of the person they are calling even before the call is picked up.”

Sami Laine, director of technology strategy at Okta, said: “Apple’s platforms especially iOS are arguably the most secure in the industry. However, Apple recognizes that having global diversity in researchers is critical for uncovering novel attack vectors.”

Weak links in the chain

Ksenia Peguero, senior research lead at Synopsys, noted that “there is a difference between the defects that internal security reviewers will find and the issues that bug bounty hunters will report. Systems are increasingly interconnected, which can lead to a chained attack vector.”

“However, a low vulnerability in one system, chained with another low vulnerability within a second system, in addition to a vulnerability in the vendor system may together result in a significant compromise,” Peguero added.

Raising the security bar

Of course, there is always a risk that even good money won’t buy up every potential exploit. “This sort of bug bounty program stands to create an arms race. What guarantee is there that an exploit developer shares all critical vulnerabilities?” asked Tom Kellermann, chief cybersecurity officer, Carbon Black.

But he agreed that the ideal scenario is for organisations to combine solid internal DevSecOps and work with outside researchers to augment those efforts.

Bashir concluded: “Apple not only created a challenge for its developers and researchers to develop more secure software but also addresses the fact that no matter how effective a company’s internal secure development processes are, there is a much larger user base out there that will continue to try to break the software that Apple is producing,”