Apple launches public Bug Bounty Program and delights Security Community

Apples Whitehat Hacker gift for Xmas

Due to a longer period of time (January) we have stopped our Responsible Disclosure Bug Bounty Program at Apple. The reason was that Apple's security department made many mistakes in dealing with independent security researchers and did not seriously reward them. In October, we had a meeting in Abu Dhabi (HITB Cyberweek) with an old, well known us whitehat by the name of "Jason Shirk". Jason Shirk has built up a lot of reputation and respect during his first years as a member of the MSRC Bug Bounty Team with Akila. You can see him here accepting a trophy from the Vulnerability Laboratory for the best bug bounty program. Now he is employed by Apple in the security department and brings the security and bug bounty program out of the dark and to the front. We've been waiting a long time for this and have given Apple individual feedback on older failed communications on valid bugs before the program was announced to launch at the end of the year, which has been taken into account for the new created rules. At the end of our conversation we confirmed to participate in the program again as soon as the new rules are official public & checked by independent lawyers.

"Exp. in the conversation we demanded that the local device security is taken into account as when bypassing the PIN coder or passcode functions. Since we had reported a total of 17 bugs to Apple in recent years to circumvent the protection functions, it was only foreseeable that we would make this demand for all end users. According to the new program rules you can earn 100.000€ - 150.000€ per vulnerability if you manage to bypass the security features".

Here we see parallels, like the front programs in the bug bounty area at Microsoft. The quality of the program should always be handled by secure and trustworthy key persons, as here, too, in order to maintain a certain stability in the process. Since Jason Shirk has already achieved this at Microsoft, many security researchers now hope that Apple will follow the general business rules and not set self-defined goals that cannot be adhered to in order to guarantee or ensure more product security.

After we have reported a little about the background here, we now want to talk about Apple's new public Bug Bounty Program. The "Apple Security Bounty" is officially launched today. From now, the apple accepts indications of security vulnerabilities from the general public and intends to pay out up to 1 million US dollars for zero day vulnerabilities - after the confirmed validation process. Apple promises to pay for any significant vulnerabilities in all of its own operating systems iOS, iPadOS, macOS, tvOS, watchOS as well as icloud.

Passcode bypass vulnerabilities will be rewarded with about 100.000€ - 150.000€. In case sensitive Data can be access an amount of 50.000$ comes on top. This program extend is a kind of acknowledgement to our team as well for permanently reporting (17) such kind of vulnerabilities (ios 6 - ios 13).

A further extension of the program is found in possible attacks via an app installed by the user as well as attacks on the network level. The maximum amount of 1,000,000 US dollars can then be paid out, and a remote attacker is able to completely take over a device from the latest iPhone generation - without any additional manual user interaction.

Some of the basic rules are ...
1. Be the first party to report the issue to Apple Product Security.
2. Provide a clear report, which includes a working exploit (detailed below).
3. Not disclose the issue publicly before Apple releases the security advisory for the report. (Generally, the advisory is released along with the associated update to resolve the issue). See terms and conditions.

We are really happy about that the new program came up and that we are able to announce it as one of the first security research communities. Let's all hope that the apple does what we have all been waiting for, so that we can all continue to work together in a friendly manner on IT security for apple products. One thing has shown us all this, however, if we hadn't reported 17 passcode bugs and chased them through the press, this kind of program extension would probably never have happened.

References: Latest Report Passcode Bypass Vulnerabilities
https://www.vulnerability-lab.com/get_content.php?id=874
https://www.vulnerability-lab.com/search.php?search=passcode&submit=Search
https://www.vulnerability-lab.com/search.php?search=apple+ios&submit=Search

References: Articles
https://www.vulnerability-db.com/?q=articles/2014/09/02/apple-ios-712-de...
https://www.vulnerability-db.com/?q=articles/2016/03/07/apple-ios-v921-v...
https://www.vulnerability-db.com/?q=articles/2014/10/22/apple-ios-v802-s...
https://www.vulnerability-db.com/?q=articles/2017/08/14/apple-ios-v102-v...

We will followup on this topic and in about 1 year will will process a review with internal and independent researchers about there experience with the new public program. Let us hope the best and invest into to see some fruits growing cause zerodium and others are not alternative for a whitehat with future. We'll keep you updated.

References: Apple
https://developer.apple.com/security-bounty/