Since its launch Bug bounty program for nearly a decade, apple He has always promoted maximum payouts –$200,000 In 2016 and 1 million dollars in 2019. Now the company is raising the stakes again. At the Hexacon offensive security conference in Paris on Friday, Apple’s vice president of security engineering and architecture, Ivan Krstic, announced a new payout cap of $2 million for a series of software exploits that can be abused for other purposes. Spyware.
The move reflects how valuable exploitable vulnerabilities are within Apple’s highly protected mobile environment — and how far the company will go to keep such discoveries from falling into the wrong hands. In addition to the individual payouts, the company’s bug bounty also includes a bonus structure, adding additional rewards for exploits that can get past them. Additional secure lock mode In addition to those discovered while Apple’s software is still in beta testing. Combined, the maximum reward for what could be a potentially disastrous exploit series will now be $5 million. The changes take effect next month.
“We’re preparing to pay several million dollars here, and there’s a reason for that,” Krstić tells WIRED. “We want to make sure that for the toughest categories, the toughest problems, the things that closely mirror the types of attacks we see with mercenary spyware — that researchers who have those skills and capabilities and have put in that effort and time can get an enormous reward.”
Apple says there are more than 2.35 billion of its devices active around the world. The company was rewarded for the defect originally It is an invitation-only program for prominent researchers, but since opening to the public in 2020, Apple says it has awarded more than $35 million to more than 800 security researchers. Top dollar payouts are very rare, but Krstic says the company has achieved multiple payouts of $500,000 in recent years.
In addition to the higher potential bounties, Apple is also expanding bug bounty categories to include certain types of one-click WebKit browser infrastructure exploits as well as wireless proximity exploits performed using any type of radio. There’s even a new show known as “Goal Flags” that puts the concept Capture the flag hack contests In real-world testing of Apple’s software to help researchers demonstrate the capabilities of their exploits quickly and definitively.
Apple’s vulnerability bounty is just one of many long-term investments aimed at reducing the spread of critical vulnerabilities or preventing their exploitation. For example, after more than five years of operation, the company last month announced a security protection in New iPhone 17 lineup Which It aims to eliminate the most exploited class of iOS bugs. The feature, known as Memory Integrity Enforcement, is a big change aimed at protecting a small minority of the most vulnerable and highly targeted groups around the world — including activists, journalists, and politicians — while also adding defense for all users of the new devices. To this end, the company announced on Friday that it will donate 1,000 iPhone 17 devices to human rights groups that work with people at risk of facing targeted digital attacks.
“You could say, well, this seems like a very big effort to protect this very small number of users who are being targeted by mercenary spyware, but there’s just this indisputable record that journalists and technology companies and civil society organizations have described that these technologies are constantly being abused,” Krstic says. “And we feel a great moral obligation to stand up for these users. Despite the fact that the vast majority of our users would never be targeted by anything like this, this work we’ve done will end up increasing protection for everyone.”
https://media.wired.com/photos/68e70d07ca904606cfb57896/191:100/w_1280,c_limit/sec-apple-bounty-2219281340.jpg
Source link