Historically, Apple one of the technology companies with the Safety Research Rewards Program More miserable: Compared to some of the top competitors, the company offers low-cost, low-cost tools to let professionals discover flaws in their software. Now that is about to change.
Ma's security chief Ivan Krsti took the security conference stage Black Hat 2019in Las Vegas (USA) to announce a significant expansion of the company's software research and rewards program. As speculated a few weeks ago, the change covers several fronts starting with the fact that now it open to all interested researchersinstead of being limited to registered iOS developers.
Another interesting aspect of the new program is that Apple is providing, for the first time, special iPhone versions for researchers to do their analysis. These devices have access to root and SSH, as well as advanced debug, and will be distributed to researchers who apply and “have a high quality safety review history”.
The introduction of “research iPhones” deals with two problems with one shot: on the one hand, the interest of researchers (along with other changes, which we'll talk about soon), is increasing; On the other hand, the parallel iPhones market, with developer versions smuggled out of Apple, may be weakened today, which is a favorite way for many researchers to find flaws and vulnerabilities in iOS.
New rewards program
Apple has also significantly increased payments to researchers who discover vulnerabilities in their systems. While the previous program set a maximum value of $ 200,000 for the most serious / major failures, now certain loopholes may yield up to $ 1 corn to the researchers.
Here is a basic list of vulnerabilities and their estimated payment amounts:
- Bugs that allow access to a locked device or iCloud account: at $ 100k;
- Vulnerabilities that allow attacks to a device through an app or network: at $ 250K;
- Failures that make it possible to invade a device over the network without user interaction: up to $ 1 corn.
Finally, another thing much celebrated by the research community: From now on, Ma's bounty program is no longer limited to iOS: all other company systems (macOS, watchOS and tvOS) are included, and iCloud It is also part of the initiative. As a result, researchers' interest in finding fault with the company's other systems and services will be strongly heated, and the entire Apple ecosystem can be strengthened.
Good news, no?