Apple summons security experts for bug bounty program brief - report
Apple has allegedly invited a bevy of third party security experts and device hackers to its headquarters to break down the details of the previously announced bug bounty program for macOS and iOS.
According to Forbes, the invitees include Nicholas Allegra, Francisco Alonso, Steven De Franco, Stefan Esser, Hao Xu, Alex Ionescu, Braden Thomas, Luca Todesco, Pedro Vilaca, Patrick Wardle, and Jonathan Zdziarski.
Allegra, also known as "Comex," interned at Apple in 2011 after releasing a number of iOS exploits. He departed the company in 2012, and returned to Brown University. De Franco, also known as "ih8snow," was responsible for early jailbreaks of iOS.
Esser discovered a zero-day vulnerability in OS X 10.10 in August 2015. Todesco discovered another OS X exploit, this one in OS X 10.10.5, shortly after Esser's discovery.
Ionescu worked at Apple on the iOS kernel security, and is an independent security researcher now. Thomas was a product security engineer at Apple for six years and is also now an independent security evaluator.
Vilaca is SentinelOne's lead security expert on OS X, and has multiple credits throughout the years on Apple's exploit rectification summaries. Wardle is most well known for a Gatekeeper exploit discovery, and development of Malware infestation prevention tool BlockBlock.
Zdziarski was the first to publicly note that iOS 10 had an unencrypted kernel, and discovered that WhatsApp was not necessarily completely destroying all chats.
While the meeting has not been confirmed by Apple or the invitees, several of the participants social media streams have noted in the last 24 hours that they are on the way to San Francisco.
Sources familiar with the matter claim that the list of invitees "is not too big at all" so Apple can "focus on getting actionable information" rather than potentially lose tangible information in a sea of leads.
At a presentation at this year's Black Hat security conference Apple announced plans to institute its first ever bug bounty program. It did not delve into much detail about the program at that time, but the presentation noted that it would be by invitation only.
Maximum payments peak at $200,000 for secure boot firmware components, $100,000 for extraction of confidential material protected by the Secure Enclave Processor, $50,000 for execution of arbitrary code with kernel privileges, $50,000 for unauthorized access to iCloud account data on Apple servers, and $25,000 for access from a sandboxed process to user data outside of that sandbox.