Apple has announced that they will be expanding the scope of their mac bug bounty program and will also pay up to $1 million as a reward to anyone who is able to hack an iPhone. Not only will their program include a reward for hacking an iPhone but they will also expand the scope to cover all of Apples operating systems, including the Apple Watch, Apple TV and iCloud platform.
Apple launched their bug bounty program in 2016, encouraging hackers to report security vulnerabilities found in their products but only to a small group of researchers, as an invitation-only group. It originally offered a maximum $200,000 reward, a fraction of what hackers can receive for exposing bugs on the black market rather than reporting them directly to Apple. Additionally, whilst Apples range of iPhones and iPads were the most popular devices for targeting, their decision to limit the program to iOS left all other platforms significantly more vulnerable to hackers.
Apples head of security engineer, Ivan Krstić, announced at the Black Hat conference in Las Vegas that Apple will be expanding the bug bounty program to include tvOS, watchOS and iCloud as well as the already included iOS and macOS platforms, offering rewards to anyone who can find vulnerabilities in any Apple device.
The news surrounding Apples bug bounty program is significant, as earlier this year teenage hacker Linuz Henze discovered a serious weakness in Apples macOS keychain, but refused to share it with Apple. Henze’s protest was in aid of forcing Apple into expanding their bug bounty program and arguably, it has appeared to work.
An announcement was also made that Apple will be opening up their bug bounty programme to all security researchers who are interested, rather than the ‘invitation-only’ group previous to this announcement. This now allows anyone who finds a high profile security vulnerability, in any Apple product, to earn a bounty by revealing their findings to Apple.
