TechSpot

Apple finally announces bug bounty program, will pay up to $200,000 for discovered vulnerabilities

By midian182
Aug 5, 2016
Post New Reply
  1. A number of large technology companies have introduced bug bounty programs over the last few years but one conspicuous holdout has been Apple, which has refused to pay third-parties for reporting vulnerabilities. But that’s about to change.

    Speaking at the Black Hat conference, Ivan Krstic, Apple's head of Security Engineering and Architecture, said the Cupertino company will begin offering cash rewards ranging from $20,000 - $200,000 to researchers who discover security flaws in Apple’s products.

    In a departure from most bug bounty programs, Apple is encouraging those who receive the rewards to donate them to charity, at which point the company will match the donation if it approves the institution.

    When the program first starts it will be invite-only and consist of a few dozen researchers who have previously made valuable vulnerability disclosures to the company. TechCrunch reports that the firm decided opening the program up to the public could bring a slew of fake reports that may overshadow some of the higher-risk bugs. The publication also notes, however, that Apple plans to expand the program over time and will open it up to any non-members that find significant security issues.

    Apple is limiting its program to five areas of vulnerabilities: the highest payout is for the discovery of bugs in secure boot firmware components; researchers that find ways of extracting confidential data from the secure enclave will receive up to $100,000; executions of arbitrary or malicious code are worth up to $50,000, as is access to iCloud account data; and access from a sandbox process to user data outside the sandbox offers rewards up to $25,000.

    While Apple says it is launching the program simply because bugs are becoming harder to find, the San Bernardino iPhone case from earlier this year is likely to be a major factor behind the introduction. After the company refused to help the FBI unlock the device that belonged to shooter Syed Rizwan Farook, the government agency reportedly paid third-party hackers $1 million for an exploit that allowed them to circumvent the iPhone’s brute-force protection features.

    Image credit: pixeldreams.eu / shutterstock

    Permalink to story.

     
  2. Skidmarksdeluxe

    Skidmarksdeluxe TS Evangelist Posts: 6,519   +2,060

    Is this the same Apple who brags to everybody or those who dare to believe them that their overrated and fool proof stuff may have a vulnerability or two?
     
  3. BSim500

    BSim500 TS Guru Posts: 199   +277

  4. Uncle Al

    Uncle Al TS Evangelist Posts: 1,684   +790

    They need to follow Microsoft's example .... in the old days they would release a buggy beta, then read all the message boards to find out the fix ... then incorporate it into the product ...... a great no-cost solution!
     

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...