security Apple is now opening its bug bounty to everyone, coverage includes iCloud, iPadOS, tvOS, and watchOS. Earn up to $ 1 million per vulnerability

[captain_to_fire]

Sources: Apple, The Verge

 

I have time stamped the Black Hat video from the previous thread where a lot of people is commenting about. You're welcome.

 

Unauthorized iCloud Account Access

$25,000. Limited unauthorized control of an iCloud account.

$100,000. Broad unauthorized control of an iCloud account.

Physical Access to Device: Lock Screen Bypass

$25,000. Access to a small amount of sensitive data from the lock screen (but not including a list of installed apps or the layout of the home screen).

$50,000. Partial access to sensitive data from the lock screen.

$100,000. Broad access to sensitive data from the lock screen.

Physical Access to Device: User Data Extraction

$100,000. Partial extraction of sensitive data from the locked device after first unlock.

$250,000. Broad extraction of sensitive data from the locked device after first unlock.

User-Installed App: Unauthorized Access to Sensitive Data

$25,000. App access to a small amount of sensitive data normally protected by a TCC prompt.

$50,000. Partial app access to sensitive data normally protected by a TCC prompt.

$100,000. Broad app access to sensitive data normally protected by a TCC prompt or the platform sandbox.

User-Installed App: Kernel Code Execution

$100,000. Kernel code execution reachable from an app.

$150,000. Kernel code execution reachable from an app, including PPL bypass or kernel PAC bypass.

User-Installed App: CPU Side-Channel Attack

$250,000. CPU side-channel attack allowing any sensitive data to be leaked from other processes or higher privilege levels.

Network Attack with User Interaction: One-Click Unauthorized Access to Sensitive Data

$75,000. One-click remote partial access to sensitive data.

$150,000. One-click remote broad access to sensitive data.

Network Attack with User Interaction: One-Click Kernel Code Execution

$150,000. One-click remote kernel code execution.

$250,000. One-click remote kernel code execution, including PPL bypass or kernel PAC bypass.

Network Attack without User Interaction: Zero-Click Radio to Kernel with Physical Proximity

$50,000. Zero-click code execution on a radio (e.g. baseband, Bluetooth or Wi-Fi) with only physical proximity, with no escalation to kernel.

$200,000. Zero-click partial access to sensitive data, with only physical proximity.

$250,000. Zero-click kernel code execution, with only physical proximity.

Network Attack without User Interaction: Zero-Click Unauthorized Access to Sensitive Data

$100,000. Zero-click attack that can turn on and collect information from a sensor (e.g., camera, microphone, or GPS).

$250,000. Zero-click partial access to sensitive data, without physical proximity.

$500,000. Zero-click broad access to sensitive data.

Network Attack without User Interaction: Zero-Click Kernel Code Execution with Persistence and Kernel PAC Bypass

$1,000,000. Zero-click remote chain with full kernel execution and persistence, including kernel PAC bypass, on latest shipping hardware.

 

Notes and Definitions

Spoiler

 

“One-click” refers to an exploit requiring user interaction to successfully gain access or execution. (For example, the user clicks a malicious link or opens a malicious file.)

 

“Zero-click” refers to an exploit requiring no user interaction to successfully gain access or execution. (For example, being on a network or in proximity is sufficient.)

 

“Sensitive data” access includes gaining a small amount (i.e., one or two items), partial access (i.e., some large number), or broad access (i.e., the full database) from Contacts, Mail, Messages, Notes, Photos, or real-time or historical precise location data — or similar user data — that would normally be prevented by the system.

 

The top payouts in each category are reserved for high quality reports and are meant to reflect significant effort, and as such are applicable to issues that impact all or most Apple platforms, or that circumvent the full set of latest technology mitigations available. Payouts vary based on available hardware and software mitigations that must be bypassed for successful exploitation.

 

There is a $5,000 minimum payout for all categories.

 

Quote

The top payouts will go to researchers who discover bugs that affect multiple Apple platforms, especially if the issue affects the latest Apple devices and software. Any bug discovered in a beta version will earn the researcher a 50 percent bonus in addition to the standard reward. Among the potential payouts: A researcher who can bypass a device’s lock screen can earn between $25,000 and $100,000; gaining unauthorized iCloud access could net between $25,000 and $100,000; and extracting sensitive data from a locked device could be worth between $100,000 and $250,000.

 

The most lucrative bugs for researchers, however, will be those that produce attacks that take over a device without any action on the part of the user; so-called zero click attacks. The requirements are strict to collect a bounty in these instances and require a full exploit chain to be submitted with the report.

 

Even though it’s only been in place since 2016, Apple’s bug bounty program is one of the more lucrative among tech giants, and now joins competitors whose bug bounties already were open to the public.

I gotta say that Apple is always late on these. They gotta take a lot of heat and flack first before they do something right. I mean, look how long it took for them to give the pros what they want with the 16" MacBook Pro 2019 and the 2019 Mac Pro. Apple has opened up an iOS only bug bounty in 2017 and back then, it was invite only. It was criticized for Apple being cheap. Then they two years later, they've also included the macOS in the scope of their bug bounty and they're giving pre-jailbroken iPhones to security researchers.

 

And now, they're doing what the rest of the industry has been doing for years, a public bug bounty and I gotta say, they've bumped up the payouts this time, up to a million dollars (US) for a zero day, RCE with persistence requiring zero user interaction. That's actually way more than what Intel is paying with their cheap bug bounty. It makes me wonder why so many vulnerabilities are being reported on Intel chips aside from Spectre and Meltdown. Apple's bug bounty is also higher than what Samsung is paying.

 

 

But before anything else, there are T&C to follow such as the following:

1. You are not qualified if you live in a country currently under US sanctions (North Korea, Iran, Syria, Sudan, Cuba and Venezuela)
2. If you have made online videos about your discovered vulnerabily/ies before reporting to Apple, that would disqualify you from joining and claiming the payout.
3. If Apple found out thatt you've sold or given the vulnerabilities you've found to third parties, that also means disqualification.

So, anyone who has a skills in hacking like Marcus Hutchins aka [at]MalwareTechBlog who was responsible for shutting down WannaCry spread and would like to earn large amounts of money, then you can now include hacking Apple stuff to that cash cow. This is now inline with Google's bug bounty who would pay I think $ 1.5 million to someone who can hack the Titan security chip inside Pixel phones.

[captain_to_fire]

23 minutes ago, VegetableStu said:

the movies keep making this look simple, LOL

Mr. Robot has something similar. It’s not a RCE but close enough. 

 

[Eniqmatic]

1 hour ago, captain_to_fire said:

Mr. Robot has something similar. It’s not a RCE but close enough. 

 

Love Mr. Robot, the lengths the team went to to ensure that everything was "real" and legit was really good, I remember they featured a version of Elasticsearch (Kibana) in one of the scenes, and they actually worked with Elasticsearch to use an older version that was out at the same timeframe that they were shooting in, amongst other stuff. Definitely the best series or film I've seen with regards to how "hacking" is portrayed. 

[rcmaehl]

While I prefer your version of the post...
 

 

[captain_to_fire]

11 hours ago, rcmaehl said:

While I prefer your version of the post...

The other post only talked about T2 and that’s what most of the people commenting on that thread is fixated about. 

[hishnash]

One of the clear distinguishing factors apple is doing here is paying out (more) to researchers if they report durring the beta stage.

other companies tend to not payout for issues found durring this stage, this leads researchers to wait for the software to ship before they inform the vendor. By offering bounty on betas and even increasing the rate apple is actively encouraging researches to discover issues before the software ships. Hopefully other companies out there start to do the same.

[Founders]

1 hour ago, hishnash said:

One of the clear distinguishing factors apple is doing here is paying out (more) to researchers if they report durring the beta stage.

other companies tend to not payout for issues found durring this stage, this leads researchers to wait for the software to ship before they inform the vendor. By offering bounty on betas and even increasing the rate apple is actively encouraging researches to discover issues before the software ships. Hopefully other companies out there start to do the same.

This assumes Apple actually pays up and doesn't simply stiff companies on their research and findings. Apple has a habit of crapping all over smaller companies they don't necessarily agree with. Just imagine what a pain in the ass trying to sue Apple would be. I'm sure they payout to some but the amount of researchers getting stiffed is probably far more frequent. 

[ZacoAttaco]

6 hours ago, Founders said:

This assumes Apple actually pays up and doesn't simply stiff companies on their research and findings. Apple has a habit of crapping all over smaller companies they don't necessarily agree with. Just imagine what a pain in the ass trying to sue Apple would be. I'm sure they payout to some but the amount of researchers getting stiffed is probably far more frequent. 

Yeah I'm not sure about this. There usually isn't much publicity around successful bug bounty hunters so we don't really know if they stiff these companies but it would seem somewhat likely. I do recall the teenager from UK who discovered the FaceTime vulnerability but I think it was an undisclosed amount of compensation in that story. But it's ultimately good for the industry to have all these companies running bug bounty programs.

[captain_to_fire]

2 hours ago, ZacoAttaco said:

There usually isn't much publicity around successful bug bounty hunters so we don't really know if they stiff these companies but it would seem somewhat likely.

This one get reported via HackerOne and it received publicity, and the researchers received $100,000.

 

Edited December 24, 2019 by captain_to_fire
$100,000

[WillyW]

This is why (story from September):

 

https://www.wired.com/story/android-zero-day-more-than-ios-zerodium/

[hishnash]

9 hours ago, ZacoAttaco said:

Yeah I'm not sure about this. There usually isn't much publicity around successful bug bounty hunters so we don't really know if they stiff these companies but it would seem somewhat likely. I do recall the teenager from UK who discovered the FaceTime vulnerability but I think it was an undisclosed amount of compensation in that story. But it's ultimately good for the industry to have all these companies running bug bounty programs.

While a agree they should have paid up, that was before apple made the bug bounty open to anyone so under their terms a random citizen could not claim it, this is why making it open to everyone is so important.

that other side of it is how one reports, most companies (apple, google etc) will require you to report the security issues through a dedicated security channel (with encryption messaging), the fact is security researchers know this and know also that they should not just report through the `plain text` bug reporting channel since that is not secure (people within the vendor company who do not have high security clearance will be handling it). 

Having worked in companies that have found security issues i can say that the typical process is to keep the bug (even internally within the company) very secret until it has been resolved the reason for this is while one trusts ones employees at some point you don't want them to be responsible for accidentally revealing the issue.  Only those who need to know are typically informed of a security issue until it is resolved.

What companies should do (apple included) is make is simpler and easier to report his and when using the regular bug reporting prompt users to report as a security vulnerability if they believe it is. (so that it goes through the correct channels) but the issue here is spam, in the end all of these companies do not want to get a massive load of people reporting security bugs that are not valid security bugs that will block up the small (expiranced) security teams who are reviewing these from finding the real bugs.

[Results45]

This guy's already raking it in:

.