Apple opening its bug bounty program up to all researchers is an interesting move–but an anticipated one. Public programs open companies up to more diversity and creativity from a broader crowd of security researchers.
Among other updates to the program, Apple is demonstrating that it understands the importance of finding bugs not just when they’re in the hands of customers, but also in the production cycle.
In fact, Bugcrowd’s Priority One Report shows that this model is invaluable for vulnerability discovery — over the last year, vulnerability submissions increased by 92% and average payouts increased by a whopping 83%.
Apple is known for its solid security practices. Increasing the bug bounties and broadening the scope is a natural step in strengthening their security posture and making it attractive for security researchers to spend time looking for vulnerabilities in Apple\’s products (essentially their operating systems).
Across the industry, we consistently see more engagement from ethical hackers when higher bounties are offered.
It is excellent to see a $1 million bounty for iOS vulnerabilities that let attackers control a phone without user interaction. On the black market, such exploits carry a much higher price. But security researchers prefer to do the right thing and send their finding to the owner of the system even if there could be a higher payout on the dark side.
Apple\’s bug bounty program is in a unique position, given it needs to compete with an established offensive market. Most other industry players don’t face this hurdle, and this in combination with their focus on product security is a telling sign of why payouts are so large. The skills to find the types of bugs Apple are targeting are rare and often tied up in the offensive market, and is another indication of why payouts are high. It’s great to see the bounty team there working with their incentives to match that, and a it\’s smart move to gain access to that talent to make their products stronger.
The iOS Security Research Device Program is interesting too – Apple has been very clever in developing tooling to help bring in some of the upstarts in the security researcher community, making the onramp to being a productive iOS hacker much easier for them. There are many folks with the core skills and intelligence required to help with discovery of Apple bugs, but they haven\’t done a lot of it yet, for instance. With access to the new program, Apple is making way for the rising stars, and achieving their goal of growing the community who understand their technologies at this deep a level.