Apple users are not entirely immune against cyber threats and vulnerabilities. Thus, it is not that surprising that Apple has decided to expand its bug bounty program to more researchers by increasing the maximum payout to $1 million.
The announcement was made a few days ago by Ivan Krstić, head of Apple’s security engineering and architecture, during the Black Hat security conference in Las Vegas. The program is scheduled to launch next year, and it will give selected researchers special iOS devices to look for vulnerabilities.
Maximum payment in Apple’s Bug Bounty is now $1 million
The maximum payment of the bug bounty is set at $1 million, and it is meant for persistent kernel-level security flaws that require no user interaction. Overall, Apple has increased the payouts for other vulnerabilities and problems.
The most interesting thing about the updated bug bounty program is that Apple plans to grant access to pre-release software. Bounty hunters will also be allowed inside access to iOS, including devices that come with SSH. macOS, iCloud, tvOS, and iPadOS, and watchOS are also included in the program, as opposed to its current version which only includes iOS and iCloud.
According to a Krstić presentation during the conference, the program will be open to “everyone with a record of high-quality systems security research on any platform”.
The highest previous payment in the Apple’s bug bounty program was $200,000, a payment for the discovery of a flaw in secure boot firmware components. Researchers also had to be invited to participate, which limited the program by default. The change in the program triggered positive feedback by the community, including Patrick Wardle, one of the well-known Apple security experts.
Apple’s bullet-proof security is a myth
A recent report released by TU Darmstadt and Northeastern University researchers reveals that vulnerabilities in AWDL (Apple Wireless Direct Link) could enable attackers to track users, crash devices, or intercept files transferred between devices in man-in-the-middle (MitM) attacks.
From a user perspective, AWDL allows a device to remain connected to an infrastructure-based Wi-Fi network and communicate with AWDL peers simultaneously by quickly hopping between the channels of the two networks (AWDL uses fixed social channels 6, 44, and 149), StackOverflow users wrote.
According to the report, “with deployments on over one billion devices, spanning several Apple operating systems (iOS, macOS, tvOS, and watchOS) and an increasing variety of devices (Mac, iPhone, iPad, Apple Watch, Apple TV, and HomePod), Apple Wireless Direct Link (AWDL) is ubiquitous and plays a key role in enabling device-to-device communications in the Apple ecosystem.”