Hackers have received $288,500 from iPhone maker Apple for discovering 55 vulnerabilities including 11 critical issues in the core systems as they hacked the US technology major for three months.
The critical bugs allowed the hacker group to take control of core Apple infrastructure and from there steal private emails, iCloud data, and other private information.
Apple fixed the vulnerabilities. There were 55 vulnerabilities discovered with 11 critical severity, 29 high severity, 13 medium severity and 2 low severity reports.
The total payout is expected to surpass $500,000 once Apple processes the remainder, says web application security researcher Sam Curry, who was part of the hackers group. The news report did not reveal the name of other members in the hacker group.
Apple, which reported revenue of $59.7 billion in June quarter, has fixed majority of these issues as of October 6. They were typically remediated within 1-2 business days (with some being fixed in as little as four-six hours).
The hackers targeted Apple’s web assets after reading about 27-year-old Indian security researcher Bhavuk Jain who recently won $100,000 (over Rs 75.5 lakh) from Apple for discovering a now-patched Zero Day vulnerability in the Sign in with Apple account authentication.
“This was surprising to me as I previously understood that Apple’s bug bounty program only awarded security vulnerabilities affecting their physical products and did not pay for issues affecting their web assets,” Sam Curry said.
Between July 6-October 6, Sam Curry, Brett Buerhaus, Ben Sadeghipour, Samuel Erb and Tanner Barnes worked together and hacked the company.
“If the issues were used by an attacker, Apple would’ve faced massive information disclosure and integrity loss,” Sam Curry said.
“For instance, attackers would have access to the internal tools used for managing user information and additionally be able to change the systems around to work as the hackers intend.”
Apple has been actively investing in its bug bounty programme and security researchers can receive up to one million dollars per vulnerability depending on the nature and severity of the security flaw.
“As of now, October 8th, we have received 32 payments totalling $288,500 for various vulnerabilities,” Sam Curry said. “It appears that Apple does payments in batches and will likely pay for more of the issues in the following months.”
Sam Curry said that Apple has had an interesting history working with security researchers, but it appears that their vulnerability disclosure program is a massive step in the right direction to working with hackers in securing assets and allowing those interested to find and report vulnerabilities.
