Apple has risen the quantity of up to $1 million that it offers hackers to find vulnerabilities in iPhones and Macs. It is by far the largest bug bounty of any significant tech company on offer.
That’s up from $200,000, and all scientists will have the program open in the spring. Previously (from 3 years ago) only those on the company’s invitation-only iOS bug bounty program were eligible for prizes. Now, it’s going to cover iCloud, iOS, tvOS, iPadOS, watchOS, and macOS.
Apple is also launching a Mac bug bounty, confirmed on Thursday, but it is also expanding it to watch OS and its operating system for Apple TV. The announcements came at the Black Hat convention in Las Vegas, where Ivan Krstić, head of safety engineering at Apple, gave a talk about iOS and safety at macOS.
Apple was to offer “developer devices” to bug bounty participants — iPhones that allowed hackers to dive further into iOS, according to Forbes. For example, they can pause the processor to look at what happens with memory data. Krstić verified that only by implementation would theiOS Security Research Device program be. It’s going to come next year.
But who gets the max sum of $1 million?
The maximum $1 million is going to go to investigators who can discover a kernel hack— the heart of iOS— that allows attackers to control a phone without user interaction. Those who can discover a “network assault that requires no user interaction” will receive another $500,000. There is also a 50 percent bonus for hackers who can discover software weaknesses before it is published.
In the face of an increasingly lucrative private sector where hackers are selling the same data to governments for large amounts, Apple is growing these benefits.
The price of a single exploit (a program that utilizes vulnerabilities typically to take control of a laptop or mobile) can be as much as $1.5 million, as Maor Shwartz told Forbes. For example, an exploit targeting WhatsApp that requires no clicks from the user can be sold for that much to a government agency, though such instruments are uncommon. Only one or two per year will be purchased from a pool of approximately 400 scientists focusing on such high-end hacking. “Researching them and producing a working exploit is really difficult,” he said.