SecureMac, Inc.

Computer security news. Just for Macs.

Get the latest computer security news for Macs and be the first to be informed about critical updates. Industry news, security events and all you need right at your fingertips. Malware threats change daily, so keep up to date on the latest developments to help ensure your privacy and protection. You can never be too safe.

Ivan Krstic Announces Bug Bounty Program

Posted on August 30, 2016

Apple’s head of Security Engineering and Architecture made the announcement (which everyone is by now well aware of) about their soon-to-be-implemented bug bounty program at Black Hat 2016. Krstic expanded upon the parameters of the program in greater detail. Apple is offering cash payouts of varying amounts, depending on type of vulnerability discovered:

  • SecureBoot firmware components – Up to $200,000
  • Extraction of confidential material protected by the Secure Enclave Processor – Up to $100,000
  • Execution of arbitrary code with kernel privileges – Up to $50,000
  • Unauthorized access to iCloud account data on Apple servers – Up to $50,000
  • Access from a sandboxed process to user data outside of that sandbox – Up to $25,000

The announcement was met with applause, and seen a step in the right direction by some. After all, Apple was one of the last major tech giants who was not implementing such a program. Critics and detractors, however, didn’t take long to begin their usual finger wagging. They raise some interesting points. Chief of these is that the payouts seem meager compared to what the black market is willing to pay. Exodus Intelligence has already announced via their “Research Sponsorship Program” that they will pay up to $500,000 for Apple exploits. Zerodium as well is offering up large sums that completely outclass the amount Apple’s bounty payment structure promises. If they are so serious about security (as they claim to be) why would they allow competitors to outbid them on valuable security exploit data? It remains to be seen how successful the program will be, though Apple is hopeful it will enable them to bolster their push for even greater iOS security.

While this was a monumental occasion, according to those in attendance, the announcement was overshadowed by the wealth of information Krstic provided beforehand regarding specific iOS security details. He gave an extended behind the scenes look at iOS security, covering three major systems–HomeKit, Auto Unlock, and iCloud Keychain. It was a highly technical presentation, for which you can view the slides here and the video here. Of the pearls of wisdom he dropped during the talk, information about the new hardened WebKit Jit mapping for mobile OS was seen as quite intriguing. According to Krstic, the iOS 10 version will be far superior to the iOS 9 version, as the use of separate readable and executable mapping regions will make it more difficult for attackers to implement harmful code. All-in-all, an interesting look behind the Apple curtain, especially for those heavy into the technical details of security mechanisms.

Join our mailing list for the latest security news and deals