Apple raises bug bounty to $1m and introduces developer devices

9 Aug 2019

iPhone X. Image: leungchopan/Depositphotos

Apple has increased its bug bounty from $200,000 to $1m, which is the highest bug bounty on offer from a tech company.

Three years ago, Apple launched its bug bounty programme, which offered hackers the sizeable sum of $200,000 if they could spot vulnerabilities in the iPhone system.

When the programme was launched it was invitation-only because, after consultation with other tech companies, Apple believed that opening the bounty system to the public would result in a spate of reports that might overshadow when someone finds a serious high-risk vulnerability.

At the time of launch, there were five different categories of risk and reward. The bounties ranged from a minimum of $25,000 to a maximum of $200,000. Since then, 50 serious bugs have been reported.

Now, Apple has decided to raise the iPhone bounty to $1m, which is the highest bug bounty on offer from any major tech company, according to Forbes. The bug bounty programme will also be open to all researchers, not just those who were invited by the company.

Developer devices

On Monday (5 August), Forbes also revealed that Apple would provide bug bounty participants with developer devices, which would allow them to dive further into iOS than they could with a standard iPhone.

These devices allow hackers to pause the processor and examine the data in memory in greater detail. The handsets come with secure shell, a root shell and advanced debugging capabilities, which make it easier for researchers to spot bugs.

This particular aspect of the bug bounty is open only to those who have successfully applied to the iOS Security Research Device programme.

The Verge wrote: “While these special iPhone dev devices will be more open to security researchers, they won’t have the deep level of access that internal Apple developers and the company’s security team have.”

Bounty extension

Any individual or organisation interested in receiving the $1m bounty will have to demonstrate that they can gain complete control of a phone, simply by knowing a target’s phone number, without any user interaction at all.

If a researcher can find a vulnerability in pre-release builds, before a phone or a version of iOS is made available to the public, they will qualify for a 50pc bonus on top of the sum they receive for spotting a vulnerability in the first place.

On Thursday (8 August), Apple also confirmed that it would be rolling out its bug bounty programme even further, to include macOS, Apple TV and the Apple Watch.

According to TechCrunch, security researchers previously refused to report security flaws they encountered on macOS to Apple, as there was no financial incentive to do so.

Discouraging repair

Amid all of these security announcements, Apple has quietly introduced a new feature into iOS 12 and the iOS 13 beta, which was discovered by iFixit.

If a user or third party replaces a battery in the iPhone XS, XR and XS Max, a message in the battery health settings will warn the user that the battery needs to be serviced, regardless of whether it is actually degraded or not. This happens even if the battery is swapped for a genuine Apple battery.

iFixit wrote: “It’s not a bug; it’s a feature Apple wants. Unless an Apple Genius or an Apple Authorised Service Provider authenticates a battery to the phone, that phone will never show its battery health and always report a vague, ominous problem.

“Put simply, Apple is locking batteries to their iPhones at the factory, so whenever you replace the battery yourself – even if you’re using a genuine Apple battery from another iPhone – it will still give you the service message.”

iFixit called the move “a user-hostile choice” that makes repair “increasingly difficult”.

The Verge commented: “The evidence suggests that people hold onto their phones for longer when they have access to cheap battery repairs. When Apple reduced the price of its battery replacements, so many people took advantage of it that it actually ended up harming the sale of new iPhones.”

iPhone X. Image: leungchopan/Depositphotos

Kelly Earley was a journalist with Silicon Republic