Apple Announced to Launch A Security Bounty Program

At the Black Hat 2016 security research conference held in Las Vegas on Thursday, Apple’s head of security engineering Ivan Krstic announced the launch of a bug bounty program, and promised to prioritize pushing updates. Security researchers will be paid – up to $200,000 – for discovering and reporting major bug and security flaws in the latest version of iOS or the most recent generation of hardware devices.

The bug bounty program is planned to launch in September, and it is invitation only. Initially the program is open to a few dozen researchers from the expert teams who have helped Apple to find vulnerabilities before. It won’t be open to just any old hacker. Setting a limitation to the participants of the program, as Apple explains, is to help filter spurious submissions and ensure the credibility of bug reports, so that the trusted researchers can get adequate support and resources from the company.

Apple also says the program will become more open as it grows, and that if a researcher outside the initial group approaches Apple with a high-value security flaw, he still has the chance to get paid, or even be invited into the program to work it out.

Previously, Apple relied on its internal security teams and informal relationships with outside researchers to discover product vulnerabilities. The company didn’t offer rewards to researchers who find security bugs in its products. Apple now says the bug bounty is meant to acknowledge how difficult it is to find a weakness in its systems.

Apple will offer bounties to researchers depending on the severity and category of vulnerability that’s discovered. The factors that influence exact reward amount include “the clarity of the vulnerability report; the novelty of the problem and the likelihood of user exposure; and the degree of user interaction necessary to exploit the vulnerability”. Krstic listed five categories of bug and the top fee paid for each (shown in the picture below), while the mac OS is not covered as part of the program.

Many tech companies like Google, Microsoft, Facebook, and Yahoo offered similar financial incentive to encourage people to discover and report security vulnerabilities in their products. Last month Google said that it had paid $550,000 in total to 82 people who had found vulnerabilities in its Android software. Since launched the reward mechanism 3 years ago, Microsoft has distributed $1.5 million in bonuses to security researchers. Apple declined to provide a similar reward program until now.

What do you think of Apple’s bug bounty program? Share your idea in the comments.

Tags: ,

No comments yet.

Leave a Reply