Apple announces upcoming bug bounty program, initially invite-only

By Mikey Campbell

Apple during a presentation at this year's Black Hat security conference announced plans to institute its first ever bug bounty program, an initiative that pays out cash for previously undiscovered software and hardware vulnerabilities.

When the program goes live in September, security researchers probing Apple's latest products for weaknesses will be able to hand over working exploits for cash rewards, or bounties. Smaller firms and industry organizations are no stranger to bug bounty incentives, making Apple one of the last major consumer electronics brands to move away from internal testing and toward public incentives.

As noted in Apple's presentation, the initial set of bounties look to shore up defenses of high-level computing assets and first-party security elements. Maximum payments include $200,000 for secure boot firmware components, $100,000 for extraction of confidential material protected by the Secure Enclave Processor, $50,000 for execution of arbitrary code with kernel privileges, $50,000 for unauthorized access to iCloud account data on Apple servers and $25,000 for access from a sandboxed process to user data outside of that sandbox.

Like all things Apple, the bug bounty payout mechanism comes with a twist. Security researchers who choose to give their awards to charity will find their donations matched one-to-one by Apple.

For now, Apple's bug hunting apparatus will be open only to a select group of invited researchers. The company did not announce who, exactly, was asked to participate, but did say non-members who find a particularly interesting bug might find themselves invited to join the elite cadre.

It seems that Apple intends to expand the program beyond the initial set of bug categories, though it did not share details on those plans today.

Apple has always been open to external input when it comes to product security, a recent example being the discovery of a potentially dangerous iOS vulnerability resembling Android's Stagefright exploit. The flaw, which impacted iOS, Mac and tvOS devices, was patched with in a round of software updates in July.

With the bug bounty program Apple hopes to incentivize threat discovery, a model that plays to both white and gray hat hackers. The more eyes on its products, the higher the chance Apple has of detecting and dealing with a threat before it impacts millions of device owners around the world.