Bug bounty programs are lucrative, and expanding. Firms from Google to GitHub have one, and new reports suggest Apple is finally launching their own official program. At the same time, Microsoft is expanding Azure’s program with larger payouts.
Ahead of the Black Hat security conference (August 7-8), Microsoft announced the Azure Security Lab, a sandboxed online environment for researchers to stress-test Azure vulnerabilities. The company says it has issued $4.4 million in bounty rewards over the past 12 months, adding that the top prize within the Azure Security Lab is $300,000 for a virtual machine escape (demonstrating “a functional exploit enabling an escape from a guest VM to the host or to another guest VM”). It has doubled the top payout for critical targets in the more mainstream Azure bug bounty program to $40,000.
Azure Security Lab is not open to anyone (unlike the Azure bug bounty program, which is). You have to request access, and it’s “reserved for security researchers to explore and exploit vulnerabilities in ways that wouldn’t be practical on the standard cloud, for reporting to Microsoft for bounty.” It’s a totally contained environment, and meant for dedicated security researchers, so don’t expect to make $300,000 while casually kicking the tires on Azure.
Later this week at Black Hat, Apple is expected to announce its own bug bounty program… and it’s a bit weird. Forbes reports Apple is set to hand out “pre-jailbroken” iPhones to security researchers. This hardware handout is believed to be an extension of Apple’s existing invite-only bug bounty program, launched in 2016. One person familiar with the plans told Forbes the iPhones are “dev devices”:
What makes these iPhones special? One source with knowledge of the Apple announcement said they would essentially be “dev devices.” Think of them as iPhones that allow the user to do a lot more than they could on a traditionally locked-down iPhone. For instance, it should be possible to probe pieces of the Apple operating system that aren’t easily accessible on a commercial iPhone. In particular, the special devices could allow hackers to stop the processor and inspect memory for vulnerabilities. This would allow them to see what happens at the code level when they attempt an attack on iOS code.
In addition to expanding its existing program with bespoke hardware, Apple is also said to be launching a long-overdue macOS bug bounty program. Details of this arm of Apple’s bug bounty program are unclear, but it’s likely going to have the same payouts as its iOS counterpart, and act as an invitation-only program. The current known payment structure for Apple’s program tops out at $200,000.
Why Apple hasn’t launched a macOS bug bounty yet is anyone’s guess. That it’s launching one now is curiously timed; it coincides with the debut of Catalina, which ushers in the era of cross-platform apps. Many see iPadOS apps running on macOS as a sign of platform convergence, and expanding the scope of the bug bounty program will do nothing to dissuade that chatter.