Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

Apple's New Bounty Program Has Huge Incentives, Big Risks

Industry observers applaud the program's ability to find exploits but fear unintended consequences.

Last week at Black Hat USA, Ivan Krstić, Apple's head of security engineering and architecture, announced a massive expansion of the company's bug-bounty program. In addition to expanding the program from iOS to all of Apple's operating systems, the new program dramatically increases the bounties on offer, to a maximum of $1.5 million under certain circumstances.

"Apple is demonstrating that it understands the importance of finding bugs, not just when they’re in the hands of customers, but also in the production cycle," says Casey Ellis, CTO and founder of Bugcrowd. He points out that Apple now finds itself competing with offensive exploit buyers — those who will pay researchers for exploits that they will then use against victims in the real world.

"Most other industry players don't face this hurdle, and this in combination with their focus on product security is a telling sign of why payouts are so large," Ellis says. "The skills to find the types of bugs Apple is targeting are rare and often tied up in the offensive market, and this is another indication of why payouts are high."

Apple has long had a bug-reporting program for iOS but has limited payouts for exploits in other systems to a relative handful of prescreened and invited researchers. Now the program will be applied to macOS, tvOS, and watchOS as well as iOS.

While impressive, the bounties are not the only part of the enhanced program. Apple also announced the iOS Security Research Device Program — specially unlocked iPhones available to certain invited researchers who will be able to use the devices to find vulnerabilities and develop exploits. The security research devices are intended to be authorized, official alternatives to the "dev fused" altered phones available for thousands of dollars on the black market.

Apple is balancing two competing demands for the new program. On the one hand, Ellis says that expanded access to the program should bring talented new researchers into the Apple security field. On the other hand, "Crowd sourcing can be quite effective but also quite noisy," he explains, saying that a company can end up wading through many low-quality exploits or repeats of existing vulnerabilities from new researchers if it doesn't carefully stage the new researchers into the program.

That "noise" is part of the reason that not everyone is convinced that Apple is on the right track with the new program. "Apple's new $1 million bug bounty has more potential to wreak havoc on the defensive security ecosystem than it does to protect users," says Katie Moussouris, founder and CEO of Luta Security. "While some exploits may be acquired this way, and some new talent may come forward, this ultimately isn't a sustainable payout for defense."

Moussouris says that Apple may have gone beyond the point at which it creates what she calls "perverse incentives" in the market. She specifies three things that concern her about the scale of the bounties:

"1. Offense prices will simply increase as a direct result, so this doesn't 'compete' with that market; rather, it invigorates it.

"2. For another, this may be enough of an incentive for insiders to collude with outsiders. ...

"3. Finally, they may be sacrificing their own hiring pipeline & possibly even their current internal retention of employees."

Apple obviously wants to increase the number of researchers working on its platforms. Moussouris says that she hopes the program succeeds in bringing excellent research and new talent to the market. Ellis agrees and says that Apple has created a program that can pull that off. "The number of people who can effectively create exploits is small. Now, there's the reward and the test bed to let them build valuable experience."

Related content:

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Stop Defending Everything
Kevin Kurzawa, Senior Information Security Auditor,  2/12/2020
Small Business Security: 5 Tips on How and Where to Start
Mike Puglia, Chief Strategy Officer at Kaseya,  2/13/2020
Architectural Analysis IDs 78 Specific Risks in Machine-Learning Systems
Jai Vijayan, Contributing Writer,  2/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-4230
PUBLISHED: 2020-02-19
IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 11.1 and 11.5 is vulnerable to an escalation of privilege when an authenticated local attacker with special permissions executes specially crafted Db2 commands. IBM X-Force ID: 175212.
CVE-2019-4429
PUBLISHED: 2020-02-19
IBM Maximo Asset Management 7.6.0 and 7.6.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 162886.
CVE-2019-4457
PUBLISHED: 2020-02-19
IBM Jazz Foundation 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, and 6.0.6.1 could allow an authenticated user to obtain sensitive information that could be used in further attacks against the system. IBM X-Force ID: 163654.
CVE-2019-4640
PUBLISHED: 2020-02-19
IBM Security Secret Server 10.7 processes patches, image backups and other updates without sufficiently verifying the origin and integrity of the code which could result in an attacker executing malicious code. IBM X-Force ID: 170046.
CVE-2020-4135
PUBLISHED: 2020-02-19
IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, 11.1, and 11.5 could allow an unauthenticated user to send specially crafted packets to cause a denial of service from excessive memory usage.