SecureMac, Inc.

Ivan Krstic Announces Bug Bounty Program

August 30, 2016

Apple’s head of Security Engineering and Architecture made the announcement (which everyone is by now well aware of) about their soon-to-be-implemented bug bounty program at Black Hat 2016. Krstic expanded upon the parameters of the program in greater detail. Apple is offering cash payouts of varying amounts, depending on type of vulnerability discovered:

SecureBoot firmware components – Up to $200,000
Extraction of confidential material protected by the Secure Enclave Processor – Up to $100,000
Execution of arbitrary code with kernel privileges – Up to $50,000
Unauthorized access to iCloud account data on Apple servers …

Ivan Krstic Announces Bug Bounty Program

Apple’s head of Security Engineering and Architecture made the announcement (which everyone is by now well aware of) about their soon-to-be-implemented bug bounty program at Black Hat 2016. Krstic expanded upon the parameters of the program in greater detail. Apple is offering cash payouts of varying amounts, depending on type of vulnerability discovered:

  • SecureBoot firmware components – Up to $200,000
  • Extraction of confidential material protected by the Secure Enclave Processor – Up to $100,000
  • Execution of arbitrary code with kernel privileges – Up to $50,000
  • Unauthorized access to iCloud account data on Apple servers – Up to $50,000
  • Access from a sandboxed process to user data outside of that sandbox – Up to $25,000

The announcement was met with applause, and seen a step in the right direction by some. After all, Apple was one of the last major tech giants who was not implementing such a program. Critics and detractors, however, didn’t take long to begin their usual finger wagging. They raise some interesting points. Chief of these is that the payouts seem meager compared to what the black market is willing to pay. Exodus Intelligence has already announced via their “Research Sponsorship Program” that they will pay up to $500,000 for Apple exploits. Zerodium as well is offering up large sums that completely outclass the amount Apple’s bounty payment structure promises. If they are so serious about security (as they claim to be) why would they allow competitors to outbid them on valuable security exploit data? It remains to be seen how successful the program will be, though Apple is hopeful it will enable them to bolster their push for even greater iOS security.

While this was a monumental occasion, according to those in attendance, the announcement was overshadowed by the wealth of information Krstic provided beforehand regarding specific iOS security details. He gave an extended behind the scenes look at iOS security, covering three major systems–HomeKit, Auto Unlock, and iCloud Keychain. It was a highly technical presentation, for which you can view the slides here and the video here. Of the pearls of wisdom he dropped during the talk, information about the new hardened WebKit Jit mapping for mobile OS was seen as quite intriguing. According to Krstic, the iOS 10 version will be far superior to the iOS 9 version, as the use of separate readable and executable mapping regions will make it more difficult for attackers to implement harmful code. All-in-all, an interesting look behind the Apple curtain, especially for those heavy into the technical details of security mechanisms.

Join our mailing list for the latest security news and deals