Apple finally gives security researchers something they've wanted for years: a macOS bounty.
The tech giant said on Thursday it will launch the bug bounty program to include Macs and MacBooks, as well as Apple TV and Apple Watch, almost exactly three years after they debuted the bug bounty program for iOS.
The idea is simple: you find a vulnerability, you reveal it to Apple, they fix it – and in return you get the cash payout. These programs are very popular in the technology industry as they help fund security researchers in exchange for serious security flaws that could otherwise be used by malicious actors, and also help fill the void of flaws selling their vulnerabilities to exploit brokers, and in the black market. , which can abuse the errors in performing monitoring.
But Apple had dragged its feet to roll out an error premium to the computers. Some security researchers flat-out refused to report security flaws to Apple in the absence of a bounty-bounty.
At the Black Hat Conference in Las Vegas, Chief of Security Engineering and Architecture Ivan Krstić announced that the program should run alongside the existing iOS bug bounty.
Patrick Wardle, a security expert and basic security researcher at Jamf, said the move was a "no brainer."
Wardle has found several major security issues and dropped zero days ̵
"Granted, they hired a lot of incredibly talented scientists and security professionals – but still never had a transparent mutually beneficial relationship with external independent researchers," Wardle said.
"Sure, this is a victory for Apple, but in the end this is a huge win for Apple's end users, ”he added.
Apple said it would open the bug bounty program for all researchers and increase the size of the shooting premium from the current maximum of $ 200,000 per utilization to $ 1 million for a zero-click, chain-code run with endurance – in other words, if An attacker can gain complete control over a phone without user interaction and simply by knowing a target's phone number.
Apple also said that any travel archer who finds a vulnerability in pre-release builds reported prior to general release will qualify for up to 50% bonus on top of the vulnerability category they detect.
The bounty programs will be available to all security researchers beginning later years.
The company also confirmed a Forbes report, published earlier this week, saying it will provide a number of "dev" iPhones to controlled and trusted security researchers and hackers under the new iOS Security Research Device Program. These devices are special devices that give hackers greater access to the underlying software and operating system to help them find vulnerabilities that are usually locked away from other security researchers – such as secure skins.
Apple said they hope to extend the bug-bounty program will encourage more researchers to privately disclose security flaws, which will help increase customer protection.
Apple restricts ads and third-party trackers in children's iPhone apps
New book looks inside Apple's legal battle with the FBI
Apple has pushed a silent Mac update to remove hidden Zoom web server
Many popular iPhone apps detect the screen hidden without asking
Apple reprimands Australia's & # 39; dangerously ambiguous & # 39; anti-encryption bill
Apple Card will make credit card fraud much more difficult