Apple awarded $50,000 to a group of hackers for discovering vulnerabilities in the company’s systems. The group consists of 5 professional hackers who spent almost three months hacking Apple platforms and services to discover its weaknesses.
The team of hackers includes Sam Curry, Brett Buerhues, Ben Sadeghipour, Samuel Erb, and Tanner Barnes who exposed 55 vulnerabilities in Apple platforms with some critical issues.
“During our engagement, we found a variety of vulnerabilities in core portions of their infrastructure that would’ve allowed an attacker to fully compromise both customer and employee applications, launch a worm capable of automatically taking over a victim’s iCloud account, retrieve source code for internal Apple projects, fully compromise an industrial control warehouse software used by Apple, and take over the sessions of Apple employees with the capability of accessing management tools and sensitive resources.”
“Overall, Apple was very responsive to our reports. The turn around for our more critical reports was only four hours between time of submission and time of remediation.”
Join our Apple Channel on telegram
As per the Security Bounty Program of Apple, the group received a payment of $51,500. The payment was divided based on different weaknesses that the group exposed. This includes $5000 for disclosing the names of the iCloud users, $6000 for finding IDOR vulnerabilities, $6500 for entering the internal corporate environments, and $34,000 for discovering system memory leaks.
“Since no-one really knew much about their bug bounty program, we were pretty much going into unchartered territory with such a large time investment. Apple has had an interesting history working with security researchers, but it appears that their vulnerability disclosure program is a massive step in the right direction to working with hackers in securing assets and allowing those interested to find and report vulnerabilities.”
Since last year Apple had been actively investing in its Bug Bounty program. The program says that any security researcher who locates bugs in iOS, tvOS, watchOS, or iCloud will be eligible to receive a cash payment for disclosing the vulnerability to Apple.
Apple has also increased the maximum prize money of bounty from $200,000 per disclose to $1 million depending on the size of the bug.