Several tech companies have run hackathons in the past, engaging the skills of white hat hackers to discover flaws in their devices’ security infrastructure and recommend fixes. Apple Inc. has been no stranger to this trend, but it’s now loosening the qualification criteria for the bounty program on its devices.
The Silicon Valley giant recently opened its bug bounty program to members of the public, as interested parties now have the opportunity of winning upwards of $1 million for hacking the company’s devices.
Apple’s Bug Bounty Opens for Business, $1M Payout Included https://t.co/yB9UiGQPUd
— Eric Vanderburg (@evanderburg) December 22, 2019
Lucrative Rewards for Hackers
The program, which was initiated in 2016, has always been an invitation-only affair, where hackers try to break into iOS devices alone. However, the company expanded the scope this year, announcing at the Black Hat Conference in August this year that it will be throwing the program open to the public. In addition to that, the company confirmed that its other platforms- macOS, tvOS, iPadOS, iCloud, and watchOS- will be added to the bug bounty list as well.
To be eligible for the grand prize, researchers will need to submit detailed descriptions of the bug they found, as well as provide sufficient information for Apple to fix it. As Apple explained, researchers who discover bugs that affect multiple platforms will get the top prize, although their case will be further bolstered if the bugs affect the latest devices and software from the company.
Bugs discovered in a beta version will earn 59 percent bonuses, as well as the standard reward. On average, a researcher who can crack a device’s lock screen could earn between $25,000 and $100,000. Hackers could also gain the same amount for gaining unauthorized access to iCloud, while anyone who can get sensitive data from a locked device could win between $100,000 and $250,000.
However, bugs that provide zero-click attacks- those that take control of a device without any action from the user are the creme de la creme here. The requirements to get a bounty in this situation are rather strict, as they’ll require researchers to submit full exploit chains with their report.
Much Needed for the New Software
Apple’s bug bounty is undoubtedly lucrative. However, it couldn’t come at a better time; the company recently released its iOS 13 platforms, and as with many software updates, it has been hit with several glitches.
— Michal Lences (@michall003) December 22, 2019
Tech vlogger Jose Rodriguez also posted a video explaining that people could bypass the lock screen and get access to contacts on the new platform. The workaround involves activating a FaceTime call, then accessing Siri to gain access to the contacts list. From there, you can obtain names, phone numbers, email addresses, and much more. However, he explained that it should be fixed in the iOS 13.1 software patch.