Apple is giving out special versions of the iPhone to security researchers who have the opportunity to collect as much as $1.5 million from Apple. Announced last week at the Black Rock cybersecurity conference in Las Vegas (where ironically Apple earlier this year put up a billboard reading “What happens on your iPhone stays on your iPhone”), the tech giant is giving these experts the task of hacking into the iPhone to find vulnerabilities and security flaws. Apple security chief Ivan Krstic says that these special iPhones come with “advanced debug capabilities.” Unlike the units sold to consumers, these will allow researchers to access parts of iOS that are off-limits to most users.
The so-called iOS Security Research Device Program will get underway next year and while anyone can apply to receive one of the special iPhone units, Apple says that there will be a limited amount handed out. Most likely only qualified security researchers will be able to obtain one of these devices. Even though they will be much more open than a store-bought iPhone, the researchers won’t have the same access that Apple’s own internal security team has on their iPhones.
Companies like Apple and Google pay these researchers to find flaws as an incentive. In addition, Apple would prefer that a security expert who finds a vulnerability tell the company about it instead of selling it or using it for their own evil intentions. Flaws found on iOS are said to bring researchers as much as $1 million from hackers willing to pay that much. Apple announced last week that a researcher can receive $1 million by finding a flaw allowing him or her to take over full control of an iPhone without the owner touching the handset. Other flaws can also handsomely reward a researcher as Apple is willing to pay up to $500,000 for the information. Google announced last month that it will pay up to $30,000 to a researcher finding flaws in its Chrome browser while paying $150,000 if it is told about a flaw that can compromise its Chrome OS.
“We want to attract some of the exceptional researchers who have thus far been focusing their time on other platforms. Today many of them tell us they look at our platform and they want to do research but the bar is just too high. We have by far the highest maximum payouts in the industry, and we have the iOS security research device program for exceptional researchers that are new to our platform”-Ivan Krstic, head of security engineering and architecture, Apple
Researchers who find a vulnerability in code found on beta software will receive a 50% bonus from Apple. That is to reward an expert who has identified a problem before the bug is passed along to the public, and brings the top possible award handed out by Apple to $1.5 million. As the company’s security chief points out, “The second-best reason to have a bug bounty is to find out about a vulnerability that’s already in the users’ hands and fix it quickly. The number one best reason is to find a vulnerability before it ever hits a customer’s hands.”
Apple’s new program might have received more applause if it wasn’t for the limited number of special iPhones it is handing out. As iOS security researcher Will Strafach noted, “It’s a huge step, but I do think it would be great if there were a bit more wide availability of the devices.” Apple might be concerned that the wider availability of these units might lead to several ending up in the wrong hands, creating more problems for the company. Still, with all this money at stake, regular iPhone owners should benefit from the incentives that Apple is throwing at security experts.