Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Apple to reportedly provide 'dev device' iPhones for bug hunting, introduce Mac bounty

Apple's Ivan Krstic announces the bug bounty program at Black Hat USA 2016.

Last updated

Apple will furnish vetted security researchers special iPhone variants in efforts to suss out hardware and software vulnerabilities, according to a report on Monday that also claims the company intends to institute an official bug bounty program for Mac in the coming weeks.

Citing people familiar with Apple's plans, Forbes reports special iPhone hardware will be supplied to participants of the tech giant's invitation-only bug bounty program.

Details are scarce, but sources describe the iPhones as "dev devices" that offer researchers far more latitude in probing for iOS vulnerabilities than common consumer variants. While not quite as unrestricted as units supplied to Apple's own security team, the bug bounty handsets are expected to allow bug hunters to halt processor operations and inspect system memory while conducting targeted attacks, the report said.

Apple intends to protect its most prized code, however, as the report notes hackers are unlikely to gain access to key iPhone firmware.

The report speculates Apple's decision to seed the special iPhones to bug bounty members stems from industry reactions to leaked dev devices. In the past, security researchers have benefitted from access to developer hardware, especially in surfacing crucial zero-day vulnerabilities.

Along with the dev device program, Apple is also expected to announce a new bug bounty program for macOS. Currently, the company limits its bug bounty to iOS — its most important platform — with payments ranging from $200,000 for exploits related to secure boot firmware components to $25,000 for less critical flaws.

Researchers have called on Apple to create a macOS bug bounty for years, but the company has shown little interest in following through with a formal program. Apple's stance on the issue was brought to the fore in February when German teenager Linus Henze uncovered a macOS Keychain exploit but refused to hand over details in protest. Henze ultimately divulged his findings, saying the vulnerability was too important to keep secret.

Sources say Apple plans to announce both the dev iPhone program and Mac bug bounty initiative at the Black Hat security conference this week. Apple's security engineering chief Ivan Krstic is scheduled to discuss iOS 13, macOS Catalina and more during a presentation on Thursday.



8 Comments

1STnTENDERBITS 8 Years · 460 comments

...according to a report on Monday that also claims the company intends to institute an official bug bounty program for Mac in the coming weeks.
If this is true, I got 2 things.  1. Great   2. About goddamn time. 

bobolicious 10 Years · 1177 comments

...I would ask if the general approach of (i)Cloud (as a concept) may be reasonably considered a vulnerability, strategically and simply by design...? Is there merit in offerings such as owncloud.com/private-cloud/ that suggest a distributed cloud may offer a more secure or at least less attractive and targetable option...?

I might also ask about Photos auto-tagging (offer an off preference) and rolling out an implementation of S/MIME email encryption 'for the rest of us' that is free like the macOS apps, and given the efficacy already built in to both macOS and iOS...?

Arina14 5 Years · 29 comments

I think it's a great idea if this is true. Hopefully, these initiatives will help minimize the number of shortfalls that plague Mac and iPhone users.

seanismorris 8 Years · 1624 comments

...according to a report on Monday that also claims the company intends to institute an official bug bounty program for Mac in the coming weeks.

If this is true, I got 2 things.  1. Great   2. About goddamn time. 

#2 *******

Looks like Apple is finally getting serious about security.

Now they just need to find out what’s up with Cellebrite... 
There’s a vulnerability (there) being exploited that’s unknown to Apple.  If someone knows it’s only a matter of time before criminals know.

1STnTENDERBITS 8 Years · 460 comments

...according to a report on Monday that also claims the company intends to institute an official bug bounty program for Mac in the coming weeks.

If this is true, I got 2 things.  1. Great   2. About goddamn time. 
#2 *******

Looks like Apple is finally getting serious about security.

Now they just need to find out what’s up with Cellebrite... 
There’s a vulnerability (there) being exploited that’s unknown to Apple.  If someone knows it’s only a matter of time before criminals know.

Plot twist: Where do you think Cellebrite get's some of their vulnerabilities?  Dunh... dunh... duuuuuunnhh :o   Okay, I'm mostly just joking but it's not beyond the realm of possibility.  More likely though, Apple introduces new vulnerabilities every time they update the OS.  It's how software development works and why there's a ton of time devoted to betas... to get rid of as many bugs and vulnerabilities before pushing out the update.  Some are always missed - cuz human.

But it's funnier to think of Cellebrite participating in some dark web vulnerability auction against a guy menacingly stroking a grumpy cat :D