A report from Monday claims Apple will provide special iPhone versions to vetted security researchers as part of an effort to more easily find security holes in iOS. The report also says the Cupertino firm will finally institute an official bug bounty program for the Mac.
A Forbes report – which cites the usual “people familiar with Apple’s plans” – says special iPhone hardware will be supplied to participants in the company’s bug bounty program, which is an invitation-only program.
While details of the program are scarce, the report’s sources describe the iPhones as “dev devices,” that “allow the user to do a lot more than they could on a traditionally locked-down iPhone.”
The devices should allow users to probe parts of the iOS operating system that aren’t easily accessible on a standard iPhone. The devices could allow hackers to stop the processor and inspect memory for vulnerabilities, allowing them to view what is happening at a code level when they attempt to attack the iOS code.
The devices will not offer the same access as the iPhones used by Apple’s internal staff. The “lite” versions of the devices will not provide the same level of openness as that enjoyed by Apple’s security team, says one of the report’s sources. Hackers are unlikely to receive access to key iPhone firmware.
In addition to the new dev device program, Apple is also expected to announce a new macOS-related bug bounty program. Currently the company limits its bug bounty payouts to iOS. The current iOS program payouts range from $200,000 for exploits related to secure boot firmware components to $25,000 for less critical flaws.
Security researchers have for years been urging Apple to initiate a bug bounty program for macOS, but this is the first time reports have indicated interest on Apple’s part.
It is possible that Apple’s new interest in such a program may have been spurred at least in part by an incident in February, when German teen Linus Henze discovered a macOS Keychain exploit but refused to hand over details of the flaw in protest of Apple’s not offering a macOS bug bounty. Henze eventually handed over the details of the flaw, saying the vulnerability was too important to not disclose.
Forbes sources says Apple will announce both the dev iPhone initiative and the macOS bug bounty program at this week’s Black Hat security conference. Apple’s security engineering chief Ivan Krstic will discuss iOS 13, macOS Catalina, and more during a presentation on Thursday.
