Bug bounty programs are software bug (issues/errors) hunting opportunities for people to search for security vulnerabilities for different companies so that the companies can fix them to avoid getting hacked. The person who finds the vulnerabilities is then given a hefty prize usually as cash.
Apple is late to the party since companies like Google have been running bug bounties for several years now. Ivan Krstic, Apple’s head of security engineering and architecture, made an announcement at Black Hat on Thursday that the company will launch a reward structure in September.
Krstic while talking to the crowd at Black Hat said,
We’ve had great help from researchers like you in improving iOS security all along, feedback that we’ve heard pretty consistently both from my team at Apple and also from researchers directly is that it’s getting increasingly more difficult to find some of those most critical types of security vulnerabilities. So the Apple Security Bounty Program is going to reward researchers who actually share critical vulnerabilities with Apple.
Apple will reward upto $200,000 for discovering vulnerabilities in Apple’s secure boot firmware components. For comparison’s sake, Microsoft offers $100,000 for discovering vulnerabilities in Windows 10 with Facebook and Twitter paying out large sums divided over time.
In addition to the $200,000 reward, Apple is offering
- Up to $100,000 for extraction of confidential material protected by the Secure Enclave Processor
- Up to $50,000 for executions of arbitrary code with kernel priveleges
- Up to $50,000 for access to iCloud content data on Apple’s servers (celebrity photo leaks)
- And up to $25,000 for access from a sandboxed process to user data outside of that sandboxed process.
Even though Apple is late to the bug bounty program, the highest prize there is will probably save Apple some grace and entice the white hat hackers into bug hunting for Apple.