Apple finally announces a bug bounty program of its own -- but it's not open to everyone
Bug bounty programs have become commonplace in recent years. Tech companies offer up rewards to coders, engineers and hackers who manage to unearth security vulnerabilities in software, and this means that problems are detected and patched faster than normal.
It is something that the likes of Google and Microsoft have offered for some time, and now Apple has decided it wants a piece of the action as well. Starting in September, the company will pay out up to $200,000 to anyone identifying vulnerabilities in its software and services.
Announced at the Black Hat security conference in Las Vegas a few days ago, Apple's decision to offer a bug bounty program has been a long time coming. Apple's head of security engineering and architecture, Ivan Krstić explained that the program will operate in a slightly different way to other companies' -- it will be a closed program available only to an invited group of researchers.
To start with there are a limited number of categories of vulnerability for which Apple will offer money:
- Secure boot firmware components -- up to $200,000
- Extraction of confidential material protected by the Secure Enclave Processor -- up to $100,000
- Execution of arbitrary code with kernel privileges -- up to $50,000
- Unauthorized access to iCloud account data on Apple servers -- up to $50,000
- Access from a sandboxed process to user data outside of that sandbox -- up to $25,000
While it's slightly disappointing to find that Apple's bug bounty program is closed, it is likely to open up in the future. That said, there's nothing to stop the company from bending its own rules and coughing up a little cash if an uninvited researcher was to uncover a serious security issue that needs to be addressed.