Apple announces $200,000 bug bounty program open for outside security researchers
Unlike many of the other major tech companies, Apple has never had a formal bug bounty program or corporate policy for welcoming outsiders who poke holes in their security features. However, as TechCrunch reports today, Apple's head of Security Engineering and Architecture Ivan Krstic announced at Black Hat that his company will now offer cash bounties of up to $200,000 for hackers and researchers who find and report security flaws in Apple products.
Tech companies hold the keys to some of our most personal information payment details, health records, chat logs with our lovers and archives of family photos and, as we hand over more and more private data, it becomes increasingly important that companies earn our trust by keeping it secure.
The announcement came during Krstic's larger talk about the security features built into some of Apple's newest services.
According to Securosis CEO and iOS security analyst Rich Mogull, the bounty is "the largest potential payout I'm aware of," but also fairly limited in scope: the guidelines focus on a very specific set of vulnerabilities and Apple is currently working with a select list of researchers. (Although, the company says if someone outside the initial group finds a bug, they can easily be included in the program.) The highest level bounty covers bugs found in secure boot firmware components, but there are also smaller bounties for gaining unauthorized access to things like iCloud account data -- a major talking point after the infamous celebrity photo hack.
The program launches in September with five categories of risk and reward:
- Vulnerabilities in secure boot firmware components: Up to $200,000
- Vulnerabilities that allow extraction of confidential material from Secure Enclave: Up to $100,000
- Executions of arbitrary or malicious code with kernel privileges: Up to $50,000
- Access to iCloud account data on Apple servers: Up to $50,000
- Access from a sandboxed process to user data outside the sandbox: Up to $25,000
While $200,000 might be high for an official corporate bounty program, it's still only a fraction of a payout like the $1 million the FBI reportedly paid hackers to break into an iPhone owned by one of the shooters involved in the San Bernardino incident last year. And such high bounties can also be detrimental to security research in general. On the other hand, Twitter is a more secure place thanks to some $322,420 in bounties it has handed out over the past two years, and a bug bounty from Instagram made one 10-year-old Finnish kid $10,000 richer.