pixel_dreams - Fotolia

Bug bounties: How does Apple's program compare to others?

Apple has started to offer bug bounties to researchers who find vulnerabilities in iOS. Expert Michael Cobb compares Apple's program to that of other companies.

During Black Hat 2016, Apple finally launched its long-awaited bug bounty program, which will be invite-only. The...

program appears to be focused specifically on iOS bugs and will offer up to $200,000 for flaws in Apple's secure boot firmware components and up to $100,000 for extracting confidential data from the Secure Enclave processor. What do you think of Apple's bug bounty program? How do Apple's prices for iOS bugs compete with other bug bounties and, more importantly, the black market?

Over the last few years Google, Microsoft, Facebook, Samsung and many other major tech companies have been using bug bounties to offer recognition and compensation to non-employees who report security flaws in their products. Although these companies have in-house teams searching for security vulnerabilities, encouraging others to help find them improves the overall detection rate and reduces the chances of the wrong type of hacker discovering them first. Even companies that don't have the technical expertise to run their own bug bounty program have started outsourcing the process to firms like Bugcrowd. Apple had been a major exception, refusing to outbid governments and black markets that regularly pay for vulnerabilities in Apple products.

However, Apple finally launched its own bug bounty program, but it's quite different from those of other companies. It's purely invitation-only, open only to researchers who have previously made valuable vulnerability disclosures to the company. This approach is even more exclusive than that taken by the Department of Defense when it piloted its Hack the Pentagon program. Apple won't turn away new researchers if they provide useful disclosures but it clearly wants to avoid dealing with part-time sleuths, unknown researchers or shady hackers. It's looking for a higher percentage of quality submissions than many programs receive. Bugcrowd's 2016 Annual State of Bug Bounty Report found that private programs have a much better overall signal-to-noise ratio of 29% compared to 13% in public programs. This is borne out by Google Bughunter University, which says: "Approximately 90% of the submissions we receive through our vulnerability reporting form are ultimately deemed to have little or no practical significance to product security." Apple is not interested in encouraging younger, less established bounty hunters; instead, it wants those with the necessary specialist skills and expertise to find very specific types of vulnerabilities, particularly vulnerabilities that could lead to compromises of sensitive data and privacy issues, and its five- and six-figure bug bounties reflect that too. For example, vulnerabilities discovered in the secure boot firmware components can earn up to $200,000.

Compare that to the rewards and the types of vulnerabilities that qualify for Google's program where bug bounties top out at $20,000: "Any design or implementation issue that substantially affects the confidentiality or integrity of user data is likely to be in scope for the program." A "truly novel exploitation technique against protections built into the latest version of our operating system" will qualify for Microsoft's maximum $100,000 bounty, although it has run contests in which it has paid more. There is no cap on Facebook's bug bounties and according to the company, individual researchers have earned more than $100,000 for multiple valid submissions.

However, even these amounts won't beat the payouts researchers can earn from government agencies or the black market. The FBI reportedly paid nearly $1 million for the exploit it used to break into an iPhone used by Syed Farook, one of the individuals involved in the San Bernardino shooting in December 2015, while Exodus Intelligence has unveiled a "research sponsorship program" that offers as much as $500,000 for zero-day and n-day vulnerabilities -- exploits or vulnerabilities that have already been patched. These payments mean any type of bug bounty program is going to struggle to attract hackers who only care about earning money and have no qualms over the ethics of who pays them. Thankfully there are plenty of ethical hackers out there and existing programs have all identified new vulnerabilities that the sponsors didn't yet know about. Apple's bug bounty program will certainly help the overall security of its products now that there is a clear path for reporting vulnerabilities and potential fixes, and the rewards being offered reflect the amount of time and skill it takes to find and report critical vulnerabilities.

Ask the Expert: Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)

Next Steps

Find out how to improve the development process by introducing crowdsourced testing

Read about the risks and benefits of having a bug bounty program

Learn how to develop and launch a bug-finding program

This was last published in November 2016

Dig Deeper on Penetration testing, ethical hacking and vulnerability assessments