Apple’s announcement that it would launch a bug bounty program to pay hackers who identify security vulnerabilities in their products was one of the big stories coming out of the annual Black Hat conference in Las Vegas last week. The decision shows that Apple is finally catching up with the rest of the tech world by adopting a practice that many of its peers and competitors—including Google, Microsoft, Facebook, and Samsung—have been using for years to reward non-employees who report security flaws.
But Apple’s new program is no mere imitation of their competitors’. Rather, it’s a significant and striking departure from the standard model in which companies offer anywhere from a few hundred dollars to a few thousand to anyone who finds any vulnerability that the company deems sufficiently important. Instead, Apple plans to offer much larger rewards, with bounties of up to $200,000 for certain types of vulnerabilities. (Compare that to Google, where bounties top out at $20,000, or Microsoft, where the maximum reward for finding a single vulnerability is $100,000.)
But the high payouts mark only one way that Apple has altered the traditional calculus of bug bounties. Even more significant is the company’s decision to limit the program to a select number of individuals and five specific targeted categories of vulnerabilities. Rather than throwing open its program to anyone with an aptitude for bug hunting and security exploits, Apple will invite only a few dozen researchers to participate at the program’s outset, though others may still submit vulnerabilities to the company in hopes of being invited to join.
This model is even more exclusive than the approach taken by the Department of Defense when it piloted its Hack the Pentagon program earlier this year for nongovernment employees to win money for finding vulnerabilities in public DoD webpages. The DoD allowed anyone who was a U.S. citizen or resident and was not on a terrorism or criminal watchlist to register for the bug-finding competition, but they then had to undergo a background check before they were cleared to participate. Apple, by contrast, will go out and identify the people it believes will have the most to offer the company.
Besides narrowing the field of potential participants, Apple has also scoped out very specific types of vulnerabilities it’s interested in. And they are for hackers with very precise expertise: The $200,000 bounties will be only for vulnerabilities in Apple’s secure boot firmware, the mechanisms that protect against the downloading of untrusted software and thereby prevent jailbreaking (among other things). Apple will also offer bounties of up to $100,000 for exploits that successfully extract information protected by the Secure Enclave Processor, and smaller rewards (up to $50,000) to people who find ways of accessing iCloud used account data stored by Apple or of executing code that can control the operating system’s core functions, or kernel. Finally, participants who find a way to circumvent the “sandboxes” Apple uses to isolate processes (so that someone with access to one app on your phone, for instance, does not have access to all the data stored by every other app on your phone) will be eligible for rewards of up to $25,000.
So if words like secure boot, Secure Enclave Processor, kernel, and sandboxing don’t mean anything to you, well, you’re probably not about to be invited to compete for $200,000 rewards. But what’s worth noting here is not so much the particulars of which vulnerabilities Apple is and is not interested in, rather it’s the specificity with which they’ve pinpointed the security issues they care about and are willing to shell out for. Compare that to how Google describes the types of vulnerabilities that qualify for its bug bounty program: “Any design or implementation issue that substantially affects the confidentiality or integrity of user data is likely to be in scope for the program.” Or Microsoft’s explanation of what qualifies for its maximum $100,000 bounties: “truly novel exploitation techniques against protections built into the latest version of our operating system.”
Apple is targeting the people it wants, telling them exactly which vulnerabilities it’s interested in finding, and promising them five- or six-figure payouts for their trouble. This isn’t a bug bounty program for amateurs or hobbyists looking to flex their security skills and earn a little spare cash; it’s a program for Apple to cultivate a small, dedicated corps of hand-selected experts who can potentially support themselves quite comfortably by finding a few high-value vulnerabilities for the company.
All bug bounty programs have a certain element of recruiting to them in that they introduce companies to new security talent, but Apple essentially seeks to hire non-employees to work on its most pressing security problems. Apple will hand-pick these people, just as it does employees, it will tell them what security vulnerabilities to look for, just as it does employees, and it will pay them sums of money that, at least in some cases, will probably be on par with full-time employee salaries. The difference being that the security researchers will still retain their independence to work on other projects and escape some of the confines of corporate culture, company reorganizations, and performance reviews. That could turn out to be a very attractive offer for smart people who like to break things and like to be their own bosses but don’t like meetings—and there are a number of very talented security researchers who fit that description.
Apple’s bug bounty program could transform the model that many companies have relied on, replacing the open-door, all-bugs-matter and all-security-researchers-are-welcome philosophy with a more focused, exclusive, and lucrative approach. That would mean that instead of sending off lots of checks for $500 or $1,000 to hackers who find small bugs that can be used to crash a program or exploit obscure applications, companies increasingly tailor their programs to provide larger rewards for those who find a smaller number of high-value vulnerabilities that target the heart of their systems’ security protections. This model has the disadvantage of potentially discouraging newer, untested hackers, who are not yet established experts and may not be up to the challenge of finding the vulnerabilities in the most highly secured segments of a company’s software, but could be spurred on in acquiring those skills by the occasional $1,000 reward. It’s important that there be intellectually and financially rewarding challenges for those people to cut their teeth on as they hone their skills—and wait for their invitations from Apple to vie for the $200,000 prize.