Recently, apple, an international mobile phone manufacturer, officially launched its latest vulnerability submission reward plan for developers in all security fields. Apple raised the bonus ceiling from $200000 to $1.5 million. The specific bonus will be determined according to the complexity and severity of the vulnerability exploitation chain.
Ivan krsti, head of security engineering and architecture at Apple ć The new plan was announced at the American black hat security conference held in August this year. Prior to this, the vulnerability submission incentive plan implemented by Apple since 2016 was a directional invitation system rather than a full opening, and only accepted the submission of security vulnerabilities related to IOS system. Perhaps due to the low bonus of the old reward plan, developers were not very positive about submitting vulnerabilities in the past.
In the new vulnerability submission reward plan, the scope of accepting security vulnerability submission has been extended to more apple related products, including ipados, MacOS, tvos, watchos and icloud. In order to formally explain the relevant rules, apple specially released a new description document on its official website, detailing each rule of its vulnerability submission reward plan, and listing the bonus range corresponding to each type of security vulnerability.
According to the description documents, the requirements of the new plan are relatively strict, and the threshold of the highest reward is set very high. If developers want to win high bonuses and various awards, they must submit
Clearly described and detailed vulnerability report.
The contents required for a complete report include the following:
- A detailed description of the vulnerabilities submitted;
- Any preconditions and steps to bring the corresponding system to the state affected by the vulnerability;
- Reasonable and reliable malicious code against the submitted vulnerability;
- It can help Apple’s official team effectively reproduce all information about relevant problems.
Reporting vulnerability attacks that can be launched “with one click” or even “without a click” can bring a lot of bonuses to the submitter, but Apple will require the complete vulnerability exploitation chain to be submitted together for these vulnerability reports. The report of these vulnerabilities needs to include the following additional contents:
- Both the compiled version and the source version are included;
- All conditions required for vulnerability attack;
- If necessary, provide a non-destructive malicious program sample.
Apple’s security team is also particularly interested in security issues with the following characteristics:
- Vulnerabilities that can affect multiple different platforms;
- Vulnerabilities that can affect the latest open software and hardware;
- Rare vulnerabilities for new functions, or developer beta and public beta code;
- Vulnerabilities affecting sensitive components;
- Emerging vulnerabilities.
Reporting the above related vulnerabilities gives you a greater chance to win a bonus of up to $1.5 million. At present, the vulnerability with the highest bonus is the “zero click kernel code execution with persistence and kernel PAC bypass” vulnerability under the category of “network attacks that can be launched without user intervention”, with a bonus of US $1 million.
In addition, Apple also attaches great importance to the vulnerabilities in the beta products. Developers who submit vulnerabilities in the beta products will have the opportunity to receive an additional reward of up to 50% in addition to the regular bonus. This is because the submission of these vulnerabilities can help Apple fix those fatal vulnerabilities and improve system security before the official release of its relevant software, so as to avoid the loss of thousands of Apple users and billions of Apple devices.
For those vulnerabilities that have been fixed in the old version of the software but reappear in subsequent versions of the software, Apple will also give an additional reward of up to 50%.
If an attack exploits three security vulnerabilities, the submitter must attach the vulnerability utilization chain involving all security risks in the vulnerability report, otherwise he will not be able to obtain the highest reward.
According to relevant security experts, the difficulty in implementing the vulnerability submission reward plan lies in how to define the standards of effective and invalid vulnerabilities, clarify the real impact caused by vulnerabilities, and how to filter out all minor vulnerability reports lower than the set standards.
Although a “vulnerability submission reward plan” actually indirectly assigns the responsibility to developers in the security field, it does enable Apple’s security team to find these vulnerabilities faster, prioritize their repair work, and focus on repairing the most influential and critical security vulnerabilities to eliminate potential security risks. For apple, it may take more time to fully implement the new plan and change its stereotype in the minds of security developers.