Apple will pay ethical hackers more than $1m if they responsibly disclose dangerous security vulnerabilities to the firm, the company announced at the Black Hat security conference in Las Vegas.
The new “bug bounty”, up from a previous maximum of $200,000, could even out-bid what a security researcher could earn if they decided to skip disclosure altogether and sell the bug to a nation state or an “offensive security company”, according to data shared by Maor Shwartz, a vulnerability broker at the same conference.
Apple’s new bug bounty programme is a marked step up from a previous offering, which was limited to a select pool of pre-approved researchers. The company has also extended it to reward hackers finding vulnerabilities in watchOS and tvOS, as well as iOS and macOS.
The amount that researchers will receive depends on the severity of the bug they find. Earning $1m, for example, requires finding a weakness in iOS that can hack the kernel, the most secure layer of the operating system, without a single click from the user. There’s a potential bonus of another 50% if the bug is found in pre-release software, Apple said, potentially taking the earnings up to $1.5m for a single bug.
That matches what researchers could expect to earn if they went down the “grey hat” route and sold their finding to governments or contractors who intended to use it to hack state enemies, rather than fix it, according to Shwartz.
The “high-end market” for those sorts of buyers includes the same “zero-click RCEs” – remote command execution – for which Apple is offering its highest payout. It also includes any vulnerability in the encryption used by messaging services, including WhatsApp and iMessage, that could be used to intercept messages in transit and silently decrypt them.
Competition between governments and tech companies for knowledge of security vulnerabilities is more open than it has ever been. On the corporate side, the rise of bug bounties has ensured that responsibly disclosing weaknesses isn’t just something companies like Apple, Google and Microsoft expect hackers to do out of the goodness of their hearts, but can actually help those who find them pay the bills.
On the government side, however, companies such as Zerodium pioneered the practice of explicitly advertising that they would buy security vulnerabilities, with the intent of passing them on to government clients who use them as part of their espionage operations. In January, Zerodium raised its maximum payout to $2m, the company announced, for any vulnerability that can remotely “jailbreak” an iOS device, enabling unauthorised software installations, without requiring user integration.
Apple is fighting back, however, issuing select security researchers pre-jailbroken iOS devices in an effort to help responsible researchers find bugs before their less ethical colleagues, according to a Forbes report from earlier this month.