Apple Debuts Bug Bounty Program, Pays Up To $200K For Finding Vulnerabilities In Its Software
Addressing the security of its platforms at the Black Hat security conference today, Apple announced a bug bounty program that will see the company compensate hackers and security researchers with up to $200,000 in cash rewards for identifying vulnerabilities in its software.
The program is slated for kickoff this September and will be garnering members on an invite-only basis. Invite-based induction is uncommon for such programs, though Apple’s cautious foray into this territory is right in line with its modus operandi.
The company has, however, expressed the desire to gradually make the the program more open, and has even promised to consider inducting independent hackers who approach them with critical vulnerabilities.
As of this writing, the program’s bounties are divided into five categories. The first promises maximum payments of $200,000 for hunting vulnerabilities catering to boot firmware components, while being able to find holes in security of the sensitive biometric data protected by the company’s Secure Enclave could yield up to $100,000 in the second category. The remaining three cover executing code with kernel privileges for a maximum bounty of $50,000, unauthorized access to iCloud data at $50,000 and access to data external to a sandboxed process for $25,000.
Apple was among the few remaining big players in the tech industry without a security bounty program in place, with the likes of Google, Microsoft and Facebook having hopped on the bandwagon quite some time ago.
This long-overdue shift in strategy comes at the heels of the San Bernardino case, which sparked off a gruelling battle between Apple and the state, as the latter continued to ask the company to provide a custom-made “GovtOS” backdoor to the iPhone of an alleged shooter. The case concluded with law enforcement claiming to have found an unknown security hole in iOS that allowed them to gain access to the device. What followed was criticism directed at Apple’s approach to tackling the security of its platforms, and here we are.
While this announcement means nothing but positive change for the security of Apple software, users inclined to free their iOS devices from their shackles cannot be faulted for being concerned what this means for the future of the jailbreak community, though it might be too early to answer that question.