Apple recently paid a white hat hacker $75,000 after he unearthed a number of zero-day vulnerabilities that could have allowed a malicious actor to gain access to the camera on a user’s iPhone or MacBook.
Originally brought to light via Forbes, a former Amazon security engineer named Ryan Pickren was curious about exploring and finding potential security loopholes on the iPhone.
The report reads in part:
Indeed, Apple really locks down the iPhone camera and requires explicit permission from users anytime a third-party app wants to access it. Pickren, though, discovered that explicit permission is not required when the request comes directly from another Apple application.
In turn, Pickren got to work and started looking for vulnerabilities in mobile Safari that would allow him to access the iPhone camera. Ultimately, Pickren found not one, but seven! zero-day vulnerabilities in mobile Safari. From there, Pickren managed to chain three of them together and gain access to the iPhone camera.
Pickren told Apple about his findings late last year, and the security exploit was ultimately fixed in late January with a Safari update.
Interestingly, Apple — in stark contrast to companies like Microsoft and Google — has historically shied away from paying researchers for unearthing bugs. That all changed a few years ago when Apple, back in August of 2016, instituted its first ‘bug bounty’ program.
Naturally, the payout Apple offers for undisclosed bugs varies on the severity and the type of application involved. For instance, Apple will pay $100,000 for a bug involving a lock screen bypass. That number jumps to $250,000 for an attack capable of extracting user data. The biggest payout Apple has is $1,000,000, a prize reserved for anyone who can implement an advanced network attack with no user interaction.
The matrix below highlights a few of the payout options:
Image Source: LetsGoDigital, YouTube