A number of large technology companies have introduced bug bounty programs over the last few years but one conspicuous holdout has been Apple, which has refused to pay third-parties for reporting vulnerabilities. But that’s about to change.
Speaking at the Black Hat conference, Ivan Krstic, Apple's head of Security Engineering and Architecture, said the Cupertino company will begin offering cash rewards ranging from $20,000 - $200,000 to researchers who discover security flaws in Apple’s products.
In a departure from most bug bounty programs, Apple is encouraging those who receive the rewards to donate them to charity, at which point the company will match the donation if it approves the institution.
When the program first starts it will be invite-only and consist of a few dozen researchers who have previously made valuable vulnerability disclosures to the company. TechCrunch reports that the firm decided opening the program up to the public could bring a slew of fake reports that may overshadow some of the higher-risk bugs. The publication also notes, however, that Apple plans to expand the program over time and will open it up to any non-members that find significant security issues.
Apple is limiting its program to five areas of vulnerabilities: the highest payout is for the discovery of bugs in secure boot firmware components; researchers that find ways of extracting confidential data from the secure enclave will receive up to $100,000; executions of arbitrary or malicious code are worth up to $50,000, as is access to iCloud account data; and access from a sandbox process to user data outside the sandbox offers rewards up to $25,000.
While Apple says it is launching the program simply because bugs are becoming harder to find, the San Bernardino iPhone case from earlier this year is likely to be a major factor behind the introduction. After the company refused to help the FBI unlock the device that belonged to shooter Syed Rizwan Farook, the government agency reportedly paid third-party hackers $1 million for an exploit that allowed them to circumvent the iPhone’s brute-force protection features.