Apple during a presentation at this year's Black Hat security conference announced plans to institute its first ever bug bounty program, an initiative that pays out cash for previously undiscovered software and hardware vulnerabilities.
When the program goes live in September, security researchers probing Apple's latest products for weaknesses will be able to hand over working exploits for cash rewards, or bounties. Smaller firms and industry organizations are no stranger to bug bounty incentives, making Apple one of the last major consumer electronics brands to move away from internal testing and toward public incentives.
As noted in Apple's presentation, the initial set of bounties look to shore up defenses of high-level computing assets and first-party security elements. Maximum payments include $200,000 for secure boot firmware components, $100,000 for extraction of confidential material protected by the Secure Enclave Processor, $50,000 for execution of arbitrary code with kernel privileges, $50,000 for unauthorized access to iCloud account data on Apple servers and $25,000 for access from a sandboxed process to user data outside of that sandbox.
Like all things Apple, the bug bounty payout mechanism comes with a twist. Security researchers who choose to give their awards to charity will find their donations matched one-to-one by Apple.
For now, Apple's bug hunting apparatus will be open only to a select group of invited researchers. The company did not announce who, exactly, was asked to participate, but did say non-members who find a particularly interesting bug might find themselves invited to join the elite cadre.
It seems that Apple intends to expand the program beyond the initial set of bug categories, though it did not share details on those plans today.
Apple has always been open to external input when it comes to product security, a recent example being the discovery of a potentially dangerous iOS vulnerability resembling Android's Stagefright exploit. The flaw, which impacted iOS, Mac and tvOS devices, was patched with in a round of software updates in July.
With the bug bounty program Apple hopes to incentivize threat discovery, a model that plays to both white and gray hat hackers. The more eyes on its products, the higher the chance Apple has of detecting and dealing with a threat before it impacts millions of device owners around the world.
6 Comments
I think Apple will not "move away from internal testing", but will add the bug bounty program as an extra layer of effort.
I wonder how this compares to payouts from some of the "competition" such as less than scrupulous companies, the US government's NSA, well-funded hackers, etc.? If I were to find a firmware vulnerability a $1 million check would be very tempting vs. that $200k.
Wow, even more reason to get into development and security. Been meaning to start learning this stuff anyway. Would be pretty interesting to work in that field.