Apple is rewarding security researchers for finding security flaws in macOS. At the Black Hat conference, Apple announced that it is greatly expanding its existing bug bounty program to include macOS, tvOS, watchOS, and iCloud. It will include rewards of up to $1 million for a zero-click, full chain kernel code execution attack.
Apple announced that it is launching a new bug bounty program that will pay people up to $1 million for discovering and disclosing security flaws in macOS, tvOS, watchOS and iCloud. The company also revealed that it will provide security researchers with special iPhones to help them discover bugs before hackers do, according to Bloomberg.
The updated bug bounty program could help convince more security researchers to report vulnerabilities to Apple. Earlier this year, a security researcher detailed a macOS flaw, but refused to submit it to Apple until the company pays researchers for Mac security flaws.
By offering its new security research devices, Apple has given security researchers or at least those in its invite-only program a legit device that lets them explore the iPhone’s recesses without resorting to the black market. “If I’m not currently interested in Safari but interested in the kernel, right now I need to find a Safari exploit first,” said Henze. “With these security research iPhones, I can skip those steps.”
Apple may be concerned that the devices would fall into the wrong hands, resulting in more of its bugs being found by those would exploit rather than report them. But security researcher Will Strafach noted the market for dev-fused iPhones means those hackers already have access to more hackable phones. “People who sell zero days already have what they need. It’s the good guys who want to report bugs to Apple that don’t,” he said.
