Apple’s ‘invite-only’ bug bounty program

Tech titan, Apple, which has long maintained a tip line for disclosing security issues, is planning a bug bounty program that will offer cash in exchange for undiscovered vulnerabilities in its products, the company announced at the Black Hat conference held yesterday. The program will offer cash rewards for working exploits that target the latest version of iOS or the most recent generation of hardware.

Apple announced the latest program in the wake of the San Bernardino case this year. In order to break security measures on an alleged killer’s phone, police purchased an undisclosed vulnerability. Until now, Apple has relied only on internal security teams and informal relationships with researchers to find any vulnerability in its software or hardware.

The Bug Bounty Program, launching in September, will begin as invite-only including only a few dozen researchers and limited to five distinct categories of bugs. The most valuable category — worth up to $200,000 — is the vulnerability that compromises the secure boot firmware components, the heart of Apple's hardware protections. These vulnerabilities are also particularly useful for jailbreaks.

Smaller rewards are available for the extraction of data from the Secure Enclave, extraction of arbitrary code, escaping a sandboxed process, and obtaining unauthorized access to iCloud account data.

Apple says that the invite-only format will become more open as the program grows. If a non-member approaches Apple with a significant bug, they’ll be invited into the program to work it through.

Accepting that invite system is unusual for a bounty program, Apple says they have selected the system in order to weed out spurious submissions and make sure trusted researchers had adequate support from the company.

Bug bounty programs have become an increasingly popular way to encourage responsible disclosure once a vulnerability is found. Uber, Fiat Chrysler, and the Department of Defense have all launched similar programs this year.