Apple offers bug bounties for security researchers

One of the most secretive companies when it comes to security measures is Apple. But now the company is opening its security doors to hackers and researchers to help them find bugs and security vulnerabilities in its systems.

Apple’s head of security engineering and architecture, Ivan Krstic, made the announcement at Black Hat, saying Apple will offer up to $200,000 in bounties for finding vulnerabilities in its products, Tech Crunch reported.

Krstic said the move is part of Apple’s ongoing work to help improve its security, adding that the in-house testers are increasingly finding it difficult to discover vulnerabilities and so it was time to start offering bounties to external researchers.

The bounty program is currently limited to researchers who have previously made relevant disclosures to the company. However, Apple will consider new researchers provided they offer useful disclosures. Eventually the company plans to expand the program to allow more researchers to participate.

Eligibility into the program requires proof of concept on the latest iOS and hardware. Then Apple will determine the exact amount based on clarity of vulnerability, novelty of the problem and likelihood of user exposure, as well as degree of user interaction necessary to exploit the vulnerability.

The rewards are as follows:
* Vulnerabilities in secure boot firmware components: Up to $200,000
* Vulnerabilities that allow extraction of confidential material from Secure Enclave: Up to $100,000
* Executions of arbitrary or malicious code with kernel privileges: Up to $50,000
* Access to iCloud account data on Apple servers: Up to $50,000
* Access from a sandboxed process to user data outside the sandbox: Up to $25,000

But Apple’s not done. It also encourages researchers to donate their earnings to charity and will even double the donated amount if Apple approves of the selected institution.  Alfred Bayle

View comments

TAGS: Apple, Black Hat, Bug Bounty, security researchers