As part of Apple's dedication to security, they reward investigators who identify critical issues and exploit techniques, that is, the vulnerabilities that others might exploit with the company. In order to successfully protect their customers, the company makes it a priority to try and solve proven issues as soon as possible. Also, Apple publicly recognizes those who disclose valid findings and will match charitable contributions to qualifying charities. This is the main reason why Apple bug bounty attracts several potential bug finders hence ensuring the safety of the clients and customers. In this article, we will discuss in detail the various aspects of this bounty program along with its objectives and the information related to the eligibility criteria as the Apple bug program publishes rules officially.
Updates shared by Apple creates quite the buzz among the netizens and of course the iPhone users and apple device holders. So, what's in it this time? Find all about it in our article.
Apple bug program publishes rules under which for one to be eligible for the program, they must work on the problem that occurred in the most recent and publicly accessible versions of iOS devices such as iPad operating system, Mac operating system, tvOS, or watchOS with a standard setup. As well as, when applicable, the most recent publicly available equipment or the Security Research Device. These eligibility requirements ensure to safeguard users until an update is ready, to guarantee Apple can rapidly validate reports and provide required fixes, and to appropriately compensate people who conduct innovative research. Researchers require to follow:
Such issues that qualify include:
The purpose of the Apple Security Bounty is to safeguard consumers by learning about vulnerabilities and how to exploit them. Reports that include only a rudimentary proof of concept rather than a real exploit are eligible for no more than half of the maximum prize amount. Reports that lack the required details to allow Apple to replicate the issue quickly will result in a drastically reduced bounty award if accepted at all.
A full explanation of the difficulties being reported in the complete report. Also, it includes any requirements and procedures required to get the system to an affected state. It should include a reasonable bug or exploit for the issue being caused.
The Apple bug program official rules include a certain specified additional requirement, which if satisfied, then it has the potential to maximize the reward. It begins with the selection of the problems that need the execution of several exploits, as well as one-click and zero-click issues, necessitating a full chain in addition to a thorough report for maximum reward. The following items must be in the chain and report:
Send and submit the report to [email protected] Encrypt all conversations using the Apple Product Security PGP Key wherever feasible. Include in the email any relevant videos, crash logs, and system diagnosis reports. To transmit huge files, utilize Mail Drop if required.
Also, read about: Data Security: 2 Ways To Keep Your Private Confidential Information Safe
According to the Washington Post, Apple's relationship with third-party security researchers could use some fine-tuning. The main aim of the Apple bug bounty program is to encourage ethical security researchers also known as ethical hackers to discover and responsibly disclose security flaws in its products. However, it appears to be less researcher-friendly and slower to pay than the industry standard. According to Luta Security CEO Katie Moussouris, the researchers allege serious communication issues and a general lack of trust between Apple and the infosec community, despite the fact that its bounties need to be alluring—"a bug bounty program where the house always wins." Let us check out a real-life example that reflects such issues in working for the Apple bug bounty and the lack of response to the Apple bug report.
Tian Zhang, a software engineer, Zhang disclosed critical security weakness in HomeKit, Apple's home automation framework, in 2017. The bug essentially allows anybody with an Apple Watch to take control of any HomeKit-managed accessory physically around them, such as smart locks, surveillance cameras, and lights.
After a month of emails to Apple security that went unanswered, Zhang recruited the help of Apple news site 9to5Mac to contact Apple PR, who she characterized as "far more proactive" than Apple Product Security. According to Zhang, Product Security disregarded his second and third bug reports, with no bounties paid or credit is given—but the vulnerabilities got rectified. Zhang's participation in the Apple Developer Program was terminated upon the reporting of the third bug. This is the situation even after all the criteria are met as the Apple bug program publishes rules.
To conclude, it is evident that the Apple bug bounty is an exciting platform for many but unless it is refined, the entire process reflects a negative impact for those who submit their findings. In this article, we have discussed in detail all the details just as the Apple bug program publishes rules officially, the rules of creating the report, steps for submission, along the practical issues faced during this process. Hope this was useful in knowing about the bounty program introduced by Apple as a measure to improvise its security and surveillance.
Subscribe to our Newsletter