Security exploits are big business for cybercriminals, but Apple hopes to win them over with an expanded bug bounty program offering up to $1.47m ($US1m) for exploits that bypass its built-in security mechanisms.

When it was launched last year, Apple’s Security Bounty program initially covered just mobile devices and was initially launched as an invitation-only program for a small set of trusted individuals.

However, the program is now available to the public at large and includes all of Apple’s operating systems – including iPadOS, macOS, tvOS, watchOS, and its iCloud hosted service platform.

Inviting the world’s best security experts to hack its platforms is a big step for the company, whose long-running secrecy about its internal workings was pilloried when Golden Globes host Ricky Gervais lambasted it yesterday – and CEO Tim Cook, who was in attendance – for running “sweatshops in China”.

Compensation for exploits ranges from $36,720 ($US25,000) for an iPhone lock-screen bypass that provides “a small amount of sensitive data” to $147,000 ($US100,000) for a method of gaining “broad unauthorised control” of iCloud account data hosted on the company’s servers.

Apple will pay up to $367,000 ($US250,000) for a network attack that relies on user interactions to execute arbitrary kernel code on the target device – the type of attack that commonly leads to installation of ransomware or other problematic malware.

The top prize for the program, which Apple describes as being “to protect customers through understanding both vulnerabilities and their exploitation techniques”, will only be given for a ‘Zero-click’ that compromises a Mac, iPhone or other device without any interaction from the user – along the lines of the BlueKeep vulnerability that set Microsoft and the security world on edge last year.

Security researchers must provide a detailed description of the issues involved and steps to reproduce the issue, including source code and sample malicious payloads where applicable.

Bonuses could increase payouts even further for bugs that have, for example, been reintroduced despite being earlier discovered and fixed.

The company has also imposed a series of tight conditions – including a ban on disrupting any Apple service or probing its Apple Pay payments system – designed to prevent a potentially damaging free-for-all by the world’s community of security researchers.

Crowdsourcing security

Bug-bounty programs have become increasingly common in an industry where the complexity of code, and the fast pace of development, mean potential security flaws are endemic.

Developers use a range of code review metrics to track the accuracy of their code, with a rule of thumb that most software will have fewer than 25 errors per 1000 lines of code, on average.

Australian firm Bugcrowd was an early mover in the process of formalising bug bounties that outsource the systematic detection of such errors, offering white-label audit programs that allow nearly any company to draw on the developer community’s collective security expertise.

Hundreds of companies – including industry giants like Microsoft and Google that offer potentially massive payouts – are currently running public bug-bounty programs, which have become de facto sources of extra income for security researchers.

“Why did I decide to focus on Microsoft instead of Apple,” security researcher Marcus Hutchins lamented after hearing about Apple’s new program. “Bug bounty for a Windows Zeroclick is $30k.”

Bug-bounty programs are more than a way of outsourcing quality testing, however: by offering larger and larger rewards, companies hope to incentivise would-be cybercriminals to share their new exploits rather than publishing them broadly online – as happened when the damaging Mirai Internet of Things (IoT) exploit was released to the world for free.

Exploitable vulnerabilities have become big business within hacker communities, with a recent Tenable analysis finding that the ‘vulnerability to exploit’ supply chain has become a “quite sophisticated” ecosystem whose reach and resources far outpace those of the companies defending against them.

Brokers of new security exploits are paying five times as much now as they were two years ago, Tenable warned in highlighting the economic forces against which Apple, Microsoft, Google and other bug-bounty adopters are fighting.

“Although cybercrime and cybersecurity are adversarial in principle,” the report noted, “a closer inspection of the associated supply chains and markets reveals a more symbiotic relationship, with supply chains mirroring each other and… intersecting and overlapping.”