Apple to reportedly provide 'dev device' iPhones for bug hunting, introduce Mac bounty
Apple will furnish vetted security researchers special iPhone variants in efforts to suss out hardware and software vulnerabilities, according to a report on Monday that also claims the company intends to institute an official bug bounty program for Mac in the coming weeks.
Citing people familiar with Apple's plans, Forbes reports special iPhone hardware will be supplied to participants of the tech giant's invitation-only bug bounty program.
Details are scarce, but sources describe the iPhones as "dev devices" that offer researchers far more latitude in probing for iOS vulnerabilities than common consumer variants. While not quite as unrestricted as units supplied to Apple's own security team, the bug bounty handsets are expected to allow bug hunters to halt processor operations and inspect system memory while conducting targeted attacks, the report said.
Apple intends to protect its most prized code, however, as the report notes hackers are unlikely to gain access to key iPhone firmware.
The report speculates Apple's decision to seed the special iPhones to bug bounty members stems from industry reactions to leaked dev devices. In the past, security researchers have benefitted from access to developer hardware, especially in surfacing crucial zero-day vulnerabilities.
Along with the dev device program, Apple is also expected to announce a new bug bounty program for macOS. Currently, the company limits its bug bounty to iOS — its most important platform — with payments ranging from $200,000 for exploits related to secure boot firmware components to $25,000 for less critical flaws.
Researchers have called on Apple to create a macOS bug bounty for years, but the company has shown little interest in following through with a formal program. Apple's stance on the issue was brought to the fore in February when German teenager Linus Henze uncovered a macOS Keychain exploit but refused to hand over details in protest. Henze ultimately divulged his findings, saying the vulnerability was too important to keep secret.
Sources say Apple plans to announce both the dev iPhone program and Mac bug bounty initiative at the Black Hat security conference this week. Apple's security engineering chief Ivan Krstic is scheduled to discuss iOS 13, macOS Catalina and more during a presentation on Thursday.