Apple is so concerned about someone hacking the iPhone that it’s willing to pay one million dollars to any security researcher who reports certain types of vulnerabilities.
At this year’s edition of the Black Hat security conference in Las Vegas, Ivan Krstic, Apple’s head of security engineering and architecture, told the audience (and the world at large) that Apple would give that million-dollar payday to anyone who discovered a remote attack that allowed an attacker to gain total control of a user’s iPhone without that user doing anything to help.
“We want to attract some of the exceptional researchers who have thus far been focusing their time on other platforms,” Krstic said, according to Wired. “Today many of them tell us they look at our platform and they want to do research but the bar is just too high.”
(This also gives us an excuse to use our Dr. Evil from “Austin Powers” voice: “ONE… MIIIILLLION DOLLARS!”)
Apple isn’t the only company offering big payouts in exchange for critical vulnerabilities. That price war is at least partially due to the need to keep exploits off the black market, where less-than-ethical hackers are willing to sell them to the highest bidder. In addition to criminals who’d like to break into individual devices and corporate networks, the National Security Agency (NSA) and other government institutions have been accused of purchasing zero-day exploits (although such transactions are virtually impossible to prove; indeed, it’s likely that some hackers have no idea who they’re actually selling to).
Over the past few years, the NSA has been criticized for “hoarding” vulnerabilities without telling the affected companies, leading to unnecessary breaches and other issues. Tech companies’ security teams probably figure that, if they pay a large-enough bounty, they can encourage third-party researchers and hackers to come to them first.
“The second-best reason to have a bug bounty is to find out about a vulnerability that’s already in the users’ hands and fix it quickly,” Krstić added (per Wired). “The number one best reason is to find a vulnerability before it ever hits a customer’s hands.”
Apple is also willing to pay $100,000 to anyone who figures out a way to crack the iPhone’s lock screen, and $500,000 for network vulnerabilities that don’t require interacting with an end-user or customers to fully exploit. There’s also a 50 percent bonus if a security researcher discovers a flaw in an iOS, tvOS, watchOS, or macOS beta; someone who discovers a way to launch a remote attack on the upcoming version of iOS, for example, could earn a cool $1.5 million.
Before Black Hat, Apple announced that it would hand out “pre-jailbroken” iPhones to security researchers as part of an invite-only bug bounty program. In theory, these customized devices allow researchers to do much more than they could with an off-the-shelf device, such as inspect things on a code level. Apple is also rolling out its bounty program to all of its operating systems, which is auspicious timing, considering how the company’s roadmap includes cross-platform apps.
In the meantime, if ONE… MIIIILLLION DOLLARS isn’t tempting to your average security researcher, we don’t know what is.