Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

MacRumors

macrumors bot
Original poster
Apr 12, 2001
66,047
34,882



At today's Black Hat Conference, an annual event designed for the global InfoSec community, Apple's head of security engineering Ivan Krstic announced the launch of a bug bounty program that will see Apple paying money to individuals who discover major bugs and security flaws in the company's software.

Many major technology companies like Google and Microsoft offer bug bounty programs to encourage people to discover and report major vulnerabilities, but until now, Apple has declined to provide a similar program.

applebugbounty-800x600.jpg

At #BlackHat2016, Apple just announced a new Security Bounty program and has promised to prioritize pushing updates. pic.twitter.com/1jXW1tNMrb - Jay Freeman (saurik) (@saurik) August 4, 2016

According to TechCrunch, Apple's new bug bounty program is part of Apple's effort to open up to hackers, researchers, and cryptographers who want to help improve the company's security.

Apple will be offering bounties of up to $200,000 to researchers depending on the vulnerability that's discovered. Secure boot firmware components will earn $200,000 at the high end, while smaller vulnerabilities, like access from a sandboxed process to user data outside of the sandbox, will earn $25,000.
Although each category of vulnerability maxes out at the given rate, Apple will determine the exact reward amount based on several factors: the clarity of the vulnerability report; the novelty of the problem and the likelihood of user exposure; and the degree of user interaction necessary to exploit the vulnerability.
Apple plans to launch its new bug bounty program in September. To be eligible for a reward as part of the program, researchers will need to provide proof-of-concept on the latest versions of iOS and the company's newest hardware. Apple will also encourage researchers to donate their earnings to charity and will match all bug bounty donations.

The program will be invite only for the time being, limited to a few dozen researchers. Apple plans to make it more open as it grows, and if a non-member discovers a significant bug, they'll be invited to the program.

Article Link: Apple Launches Bug Bounty Program, Offers Up to $200,000 for Software Vulnerabilities Discovered
 
  • Like
Reactions: Solomani and 997440
RIP to the juicy jailbreak community
Yea I wonder what this means for jailbreaking. I'd imagine jailbreaking software would make more money giving these exploits to apple for money. Hopefully after the software has been released.
 
The incredibly buggy new OS releases shows that Apple is no longer capable of doing it in-house - going the OUTSOURCING route.

Pretty much everyone does this, so this is a good move for Apple. You always need third parties to analyze your code/product since internal staff will always have some assumptions or standard ways of doing things that preclude you from testing all possibilities.
 
I think this is a great thing and it's about time!

Though considering the quality of Apple's software lately, it's also a great thing that they have such a large cash hoard. :p
 
The incredibly buggy new OS releases shows that Apple is no longer capable of doing it in-house - going the OUTSOURCING route.

Not quite, doesn't matter how many gifted employees you have in-house you'll never catch everything. A familiar work environment breeds a familiar way of thinking, sometimes you need someone to take a look at code from a completely different perspective and it's amazing what can be spotted hiding in plain sight. Happens in all walks of life.

Increasing the number of eyes on their systems with a financial incentive is a really efficient and effective way of catching security flaws.
 
Oh come on... Most other companies "outsource" it... Its smart business.

It is actually cheap business :) Instead of hiring more people or well... dedicating some more resources, you just let people try to do your work and once they do it, you decide how much is worth if anything at all. This last part is the smart part, because it is Apple deciding how much is worth.

Of course, for a teenager or such who discoveries some vulnerability any cash is probably good... but for a company who does security research, I'm sure that this money is little to nothing. They will likely get more if they sell the knowledge to some third party (or license it) :)

Increasing the number of eyes on their systems with a financial incentive is a really efficient and effective way of catching security flaws.

Exactly... it is all about increasing the number of eyes without paying any penny for them, only those who 'succeed' and are willing to 'risk' the decision of payment by Apple. If Apple would have to pay for all those eyes, it would not obviously be worth it, but... we live in this so called sharing economy, right? A few create an app for others to do the work while you cash in as an intermediary with little to zero responsibilities...
 
  • Like
Reactions: modemthug
Wherever the discussion turns to Quality Control IT always points to the source and whether or not companies have lost control of the build and whether or not they have the right people doing the build.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.