Apple’s head of security engineering and architecture, Ivan Krstic, announced that apple is ready to open up its vulnerability reporting process to researchers. They are launching a bug bounty program that offers rewards for zero-day vulnerabilities that allow vicious code exploits.
This idea came about after an incident involving an activist in the United Arab Emirates, Ahmed Mansoor, where three zero-days were discovered with the ability to spy on his messaging and calls. This incident caused Apple to realize that hackers had shifted their focus from desktops/laptops to mobile phones.
The iOS exploit used to target Mansoor was a three pronged approach that started as a very believable phishing attack that when clicked downloaded two kernel exploits to the device. Now that the malware has been exposed, Citizen’s Labs has discovered that the exploit was the work of an Israel based surveillance software developer group, NSO. Lookout estimates that the exploit has been available for purchase for approximately two years.
Now that the NSO group has been made public and the zero-days have been patched there are now ways to scan if your devices have been compromised and Apple is pushing harder than ever before to find its vulnerabilities.