Apple announces upcoming bug bounty program, initially invite-only

Posted:
in General Discussion edited August 2016
Apple during a presentation at this year's Black Hat security conference announced plans to institute its first ever bug bounty program, an initiative that pays out cash for previously undiscovered software and hardware vulnerabilities.




When the program goes live in September, security researchers probing Apple's latest products for weaknesses will be able to hand over working exploits for cash rewards, or bounties. Smaller firms and industry organizations are no stranger to bug bounty incentives, making Apple one of the last major consumer electronics brands to move away from internal testing and toward public incentives.

As noted in Apple's presentation, the initial set of bounties look to shore up defenses of high-level computing assets and first-party security elements. Maximum payments include $200,000 for secure boot firmware components, $100,000 for extraction of confidential material protected by the Secure Enclave Processor, $50,000 for execution of arbitrary code with kernel privileges, $50,000 for unauthorized access to iCloud account data on Apple servers and $25,000 for access from a sandboxed process to user data outside of that sandbox.

Like all things Apple, the bug bounty payout mechanism comes with a twist. Security researchers who choose to give their awards to charity will find their donations matched one-to-one by Apple.

For now, Apple's bug hunting apparatus will be open only to a select group of invited researchers. The company did not announce who, exactly, was asked to participate, but did say non-members who find a particularly interesting bug might find themselves invited to join the elite cadre.

It seems that Apple intends to expand the program beyond the initial set of bug categories, though it did not share details on those plans today.

Apple has always been open to external input when it comes to product security, a recent example being the discovery of a potentially dangerous iOS vulnerability resembling Android's Stagefright exploit. The flaw, which impacted iOS, Mac and tvOS devices, was patched with in a round of software updates in July.

With the bug bounty program Apple hopes to incentivize threat discovery, a model that plays to both white and gray hat hackers. The more eyes on its products, the higher the chance Apple has of detecting and dealing with a threat before it impacts millions of device owners around the world.

Comments

  • Reply 1 of 6
    I think Apple will not "move away from internal testing", but will add the bug bounty program as an extra layer of effort.
    edited August 2016 magman1979bestkeptsecretbadmonk
  • Reply 2 of 6
    linkmanlinkman Posts: 1,016member
    I wonder how this compares to payouts from some of the "competition" such as less than scrupulous companies, the US government's NSA, well-funded hackers, etc.? If I were to find a firmware vulnerability a $1 million check would be very tempting vs. that $200k.
  • Reply 3 of 6
    curt12curt12 Posts: 41member
    linkman said:
    I wonder how this compares to payouts from some of the "competition" such as less than scrupulous companies, the US government's NSA, well-funded hackers, etc.? If I were to find a firmware vulnerability a $1 million check would be very tempting vs. that $200k.

    Pretty competitive with the rest of the industry (http://www.welivesecurity.com/2015/08/03/worlds-biggest-bug-bounty-payouts/).
  • Reply 4 of 6
    Wow, even more reason to get into development and security. Been meaning to start learning this stuff anyway. Would be pretty interesting to work in that field.
  • Reply 5 of 6
    linkmanlinkman Posts: 1,016member
    curt12 said:
    linkman said:
    I wonder how this compares to payouts from some of the "competition" such as less than scrupulous companies, the US government's NSA, well-funded hackers, etc.? If I were to find a firmware vulnerability a $1 million check would be very tempting vs. that $200k.

    Pretty competitive with the rest of the industry (http://www.welivesecurity.com/2015/08/03/worlds-biggest-bug-bounty-payouts/).
    I suspect that more lucrative payments would be from the bad guys.
  • Reply 6 of 6
    dysamoriadysamoria Posts: 3,430member
    Security only. Right. All the other bugs they've had reported to them for free by customers can just keep lingering in Apple's software. 
Sign In or Register to comment.