Apple launches security portal, blog and more
Apple wasn’t fooling when it said it intended to improve security across its platforms. It has been intensifying this effort for years, and says it has given out $20 million to security researchers since it opened its bug bounty system in 2019.
Introducing Apple Security Research
Apple has published a new security research portal where it shares detailed blogs, technical details, security tech advice and provides a route through which researchers contact its own experts.
“Our groundbreaking security technologies protect the users of over 1.8 billion active devices around the world. Hear about the latest advances in Apple security from our engineering teams, send us your own research, and work directly with us to be recognized and rewarded for helping keep our users safe,” Apple explains.
The range of information available on the site includes details concerning the Apple Security Bounty program. Apple says it has published this information to share approaches, challenges, and solutions with the wider developer community.
The pages show the importance Apple attaches to finding and fixing memory safety vulnerabilities, such as those in the XNU kernel of iPhones, iPads and Macs. It also explains the company’s approach to security update deployment.
What Apple offers
Apple offers security researchers the chance to apply for an Apple Security Research Device. Available in strictly limited numbers, this is a specially fused iPhone that allows you to perform iOS security research without having to bypass its security features which lets developers access the shell. Though this isn’t available in any U.S. embargoed countries or regions, or to those on the U.S. Department of Treasury’s Specially Designated Nationals List, on the U.S. Department of Commerce’s Denied Persons List or Entity List, or on any other restricted party lists.
[Also read: WWDC: What is Rapid Security Response and how to enable it?]
Apple also offers a one stop space from which to access developer resources for security, the company’s extensive platform security guides and recruitment opportunities for security researchers at the company.
What about Apple Security Bounty?
The company has also published a blog explaining its bounty scheme for security researchers. This began quietly in 2016 and opened more widely in 2019.
In the last two and a half years, Apple has paid nearly $20 million it said. Average payments are $40,000 but there have also been 20 bigger $100,000 rewards for high impact issues.
Apple also explained some of the ways it has improved its approach to working with the wider security community. Improvements include better reporting tools, faster responses and a new tracking tool designed so researchers can keep an eye on the progress of the status of their report. There’s more transparency also, including more clarity around bounty payments as the company seeks to protect its 1.8 billion actively used devices.
Researchers seem pleased, as this Tweet helps show.
https://twitter.com/pwnallthethings/status/1585739573392703490?s=46&t=yXLMXpGab-rJW3nklJlFmA
What comes next?
“We have much more planned for the coming year, including an expanded research scope for Apple Security Bounty and other program enhancements,” the company said.
Please follow me on Twitter, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.