Apple finally has a bug bounty program.
The company’s head of security engineering and architecture, Ivan Krstic, announced the invite-only program during a rare public appearance at the Black Hat USA 2016 hacker convention in Las Vegas on the night of August 4.
Krstic, whose team manages responsible for end-to-end security of all Apple products, said the company will pay up to $200,000 for bugs identified during his presentation on Thursday called “Behind the Scenes of iOS Security.”
Compensation depends on hack: accessing sandboxed app data is worth up to $25,000 while compromising secure boot firmware components can net the $200,000 maximum.
Apple’s shift from relying on researchers’ goodwill to offering a reward for bug disclosures is likely motivated by the hack of an iPhone 5c connected to the San Bernardino shooting of 2015. The public knows little about the hack and whether it could still be used to break into an iPhone.
Black Hat attendee Robert McCarthy Tweeted:
Audience: “How much did FBI issue influence your position?”
Ivan Krstic: “I am an engineer here to answer technical questions”
Even the FBI, which paid a still-unknown third party to hack the iPhone when Apple refused to help in the case, doesn’t know how the device was compromised. It might not even know how much the hack really cost, as FBI director James Comey’s claim that it cost around $1.3 million was refuted by later reports which claimed it actually cost less than $1 million.
That ambiguity is even more concerning because the FBI didn’t find anything on the device. This means one of the world’s foremost law enforcement agencies gave an unknown amount of money to an unknown company to perform an unknown hack — thus proving it could be done and that everyone with an iPhone 5c is at risk — without getting anything in return.
A bug bounty program could allow Apple to eliminate some of those variables and make its products more secure. Yet it’s weird that the program will start with a few dozen researchers and expand by invitation only. The point of a bug bounty program is usually to get as many people as possible to poke around various security features to see what they’re able to work around.
Apple reportedly plans to invite more people to the program as time goes on, and to “invite” anyone who reports a serious vulnerability through other channels, but for now it seems that Apple is merely dipping its toes into the bug bounty pool. That’s characteristic of the company, which is often cautious, but will likely be disheartening for anyone who wanted to vie for the rewards as soon as possible.
Still, this is unmistakable progress for Apple. So was Krstic appearing at an event like Black Hat USA in the first place. Combined with other changes, like the decision not to encrypt the iOS 10 kernel, it seems that the San Bernardino episode’s legacy could be an Apple that’s willing to step out of the shadows so it can keep the many people who use its products a little safer.