Apple is finally giving security researchers something they’ve wanted for years: a macOS bug bounty.
The technology giant said Thursday it will roll out the bug bounty program to include Macs and MacBooks, as well as Apple TV and Apple Watch, almost exactly three years after it debuted its bug bounty program for iOS.
The idea is simple: you find a vulnerability, you disclose it to Apple, they fix it — and in return you get a cash payout. These programs are wildly popular in the tech industry as it helps to fund security researchers in exchange for serious security flaws that could otherwise be used by malicious actors, and also helps fill the void of bug finders selling their vulnerabilities to exploit brokers, and on the black market, who might abuse the flaws to conduct surveillance.
But Apple had dragged its feet on rolling out a bug bounty to its range of computers. Some security researchers had flat-out refused to report security flaws to Apple in absence of a bug bounty.
At the Black Hat conference in Las Vegas, head of security engineering and architecture Ivan Krstić announced the program to run alongside its existing iOS bug bounty.
Patrick Wardle, a security expert and principle security researcher at Jamf, said the move was a “no brainer.”
Wardle has found several major security vulnerabilities and dropped zero-days — details of flaws published without allowing the companies a chance to fix — citing the lack of a macOS bug bounty. He has long criticized Apple for not having a bug bounty, accusing the company of leaving a void open for security researchers to sell their flaws to exploit brokers who often use the vulnerabilities for nefarious reasons.
“Granted, they hired many incredible talented researchers and security professionals — but still never really had a transparent mutually beneficial relationship with external independent researchers,” said Wardle.
“Sure this is a win for Apple, but ultimately this a huge win for Apple’s end users,” he added.
Apple said it will open its bug bounty program to all researchers and increase the size of the bounty from the current maximum of $200,000 per exploit to $1 million for a zero-click, full chain kernel code execution attack with persistence — in other words, if an attacker can gain complete control of a phone without any user interaction and simply by knowing a target’s phone number.
Apple also said that any researcher who finds a vulnerability in pre-release builds that’s reported before general release will qualify for up to 50% bonus on top of the category of vulnerability they discover.
The bug bounty programs will be available to all security researchers beginning later this year.
The company also confirmed a Forbes report, published earlier this week, saying it will give a number of “dev” iPhones to vetted and trusted security researchers and hackers under the new iOS Security Research Device Program. These devices are special devices that give the hackers greater access to the underlying software and operating system to help them find vulnerabilities typically locked away from other security researchers — such as secure shell.
Apple said that it hopes expanding its bug bounty program will encourage more researchers to privately disclose security flaws, which will help to increase the protection of its customers.