Until now, Apple has resisted calls to offer a bug bounty program like many other companies ranging from AT&T to Tesla Motors to Zynga. However, an Apple executive has revealed that the company plans to offer cash awards to a select group of security researchers who can identify vulnerabilities in key application areas.
The company plans to award bounties of $25,000 to $200,000 to unnamed researchers who will be invited to prove exploits in specific types of Apple software, Ivan Krstic (pictured above), head of Apple security engineering and architecture, said yesterday during his presentation about iOS security at the Black Hat security conference in Las Vegas. Set to begin in September, the bug bounty program will focus on areas affecting Apple's iCloud or iOS systems.
As a number of observers have noted, Krstic's announcement is unusual because Apple typically reveals big program news at its own Worldwide Developer Conference (WWDC) (the most recent one was held in June) rather than at other venues. However, news of its bug bounty program isn't necessarily surprising in light of the iPhone security faceoff it had with the U.S. Federal Bureau of Investigation earlier this year, as well as the company's recent moves to open up some of its code to app developers.
Evolving Security Landscape
Following a mass shooting in San Bernardino, Calif., in December of 2015, the FBI obtained a court order to compel Apple to create new code so the agency could unlock an iPhone used by one of the shooters. Apple fought the order, arguing that such action could leave its systems less secure for users in general, and the FBI eventually withdrew its court request after paying $1 million to an unnamed third party that was able to bypass the iPhone's security.
In the aftermath of that legal skirmish, Apple has indicated it aims to make future versions of its operating system software even more secure. At this year's WWDC, the company also revealed plans to open up more of its code to developers to enable the development of new apps that will work with, for example, Apple's Siri intelligent assistant.
Apple did not respond to our request for comment today about its new bug bounty program by press time. However, security analyst Rich Mogull wrote in a blog post yesterday that the program, while not a must-have for Apple, is a "good start."
"Apple took a very measured and thoughtful approach to the creation of a bounty program, which is not unreasonable given their corporate culture," Kymberlee Price, senior director of research operations at Bugcrowd, told us today via email. "Historically Apple has been very opaque about security issues, their only communication has been in the form of security advisories that accompany software updates to their products to inform customers. Running a bounty program draws attention not to features or products, but vulnerabilities, something that has been at odds with Apple's communication strategy."
Price added that Apple is taking a page from Bugcrowd's recommended playbook by limiting program participation to a select group of highly skilled researchers, which should help ensure "high 'signal' and minimal 'noise.'" She noted the program should help Apple achieve "even greater product security than they enjoy today."
Growing Adoption by Enterprises
"This won't motivate the masses or those with ulterior motives, but it will reward researchers interested in putting in the extremely difficult work to discover and work through engineering some of the really scary classes of exploitable vulnerabilities," noted Mogull, founder of the security company Securosis. He added that Apple's program sets "clear objectives" and -- as fits with the company's reputation -- focuses on "quality, not quantity."
The growing challenges of securing information technologies is driving changes in the practice of offering rewards for identifying vulnerabilities, the crowdsourced security firm Bugcrowd noted its recent "State of Bug Bounty" report.
"Bug bounty programs are moving from the realm of novelty towards becoming best practice," the report stated. "While bug bounty programs have been used for over 20 years, widespread adoption by enterprise organizations has just begun to take off within the last few."
The Bugcrowd report found that average rewards to researchers have grown by 47 percent over the past year, and that adoption of such programs is fastest among enterprise organizations with 5,000 or more employees.
Image Credit: Photo by Sarah Barbour [CC BY-SA 3.0], via Wikimedia Commons.
Posted: 2016-08-05 @ 10:19am PT
Good step from Apple ahead.