Apple Launches Bug Bounty Program, Offers Up to $200,000 for Software Vulnerabilities Discovered

Discussion in ' News Discussion' started by MacRumors, Aug 4, 2016.

  1. MacRumors macrumors bot


    Apr 12, 2001

    At today's Black Hat Conference, an annual event designed for the global InfoSec community, Apple's head of security engineering Ivan Krstic announced the launch of a bug bounty program that will see Apple paying money to individuals who discover major bugs and security flaws in the company's software.

    Many major technology companies like Google and Microsoft offer bug bounty programs to encourage people to discover and report major vulnerabilities, but until now, Apple has declined to provide a similar program.


    According to TechCrunch, Apple's new bug bounty program is part of Apple's effort to open up to hackers, researchers, and cryptographers who want to help improve the company's security.

    Apple will be offering bounties of up to $200,000 to researchers depending on the vulnerability that's discovered. Secure boot firmware components will earn $200,000 at the high end, while smaller vulnerabilities, like access from a sandboxed process to user data outside of the sandbox, will earn $25,000.
    Apple plans to launch its new bug bounty program in September. To be eligible for a reward as part of the program, researchers will need to provide proof-of-concept on the latest versions of iOS and the company's newest hardware. Apple will also encourage researchers to donate their earnings to charity and will match all bug bounty donations.

    The program will be invite only for the time being, limited to a few dozen researchers. Apple plans to make it more open as it grows, and if a non-member discovers a significant bug, they'll be invited to the program.

    Article Link: Apple Launches Bug Bounty Program, Offers Up to $200,000 for Software Vulnerabilities Discovered
  2. RedOrchestra, Aug 4, 2016
    Last edited: Aug 4, 2016

    RedOrchestra Suspended

    Aug 13, 2012
    The incredibly buggy new OS releases shows that Apple is no longer capable of doing it in-house - going the OUTSOURCING route.
  3. TheHorrorNerd macrumors regular

    Feb 25, 2015
    The one that jumps out at me is the
    "Unauthorized access to Icloud account data on Apple Servers" is only $50,000.00.
    Hasn't Apple claimed that data has never been compromised on the Apple server side?
  4. Relentless Power macrumors Penryn

    Relentless Power

    Jul 12, 2016
    $200,000 is a great incentive to help detect these issues. Hopefully it's successful.
  5. TheHorrorNerd macrumors regular

    Feb 25, 2015
    Oh come on... Most other companies "outsource" it... Its smart business.
  6. DarkCole macrumors regular


    Jul 21, 2013
  7. now i see it macrumors 68030

    Jan 2, 2002
    I discovered a bug in Apple's Mac update schedule. The Mac never seems to update. Can I collect $200,000?
  8. ramsey aguilera macrumors newbie

    ramsey aguilera

    Jul 15, 2016
  9. anzio macrumors 6502

    Dec 5, 2010
    Innisfil, Ontario, Canada
    Although it's low, it is still a reasonable bounty for an online service. Even if it is currently seen as impenetrable
  10. EricTheHalfBee Suspended

    Mar 10, 2013
    Great idea. iOS will always be more secure than Android, and this will only further that gap.
  11. x-evil-x macrumors 68040


    Jul 13, 2008
    Yea I wonder what this means for jailbreaking. I'd imagine jailbreaking software would make more money giving these exploits to apple for money. Hopefully after the software has been released.
  12. TheHorrorNerd macrumors regular

    Feb 25, 2015
    And that's why its invite only...
  13. CanadianGuy macrumors member


    Jul 3, 2007
    Ontario, Canada
    Pretty much everyone does this, so this is a good move for Apple. You always need third parties to analyze your code/product since internal staff will always have some assumptions or standard ways of doing things that preclude you from testing all possibilities.
  14. TheHorrorNerd macrumors regular

    Feb 25, 2015
    It kinda ranks their priorities as protecting data relatively low...
  15. Soba macrumors regular


    May 28, 2003
    Rochester, NY
    I think this is a great thing and it's about time!

    Though considering the quality of Apple's software lately, it's also a great thing that they have such a large cash hoard. :p
  16. Twimfy macrumors 6502a


    Sep 11, 2011
    Not quite, doesn't matter how many gifted employees you have in-house you'll never catch everything. A familiar work environment breeds a familiar way of thinking, sometimes you need someone to take a look at code from a completely different perspective and it's amazing what can be spotted hiding in plain sight. Happens in all walks of life.

    Increasing the number of eyes on their systems with a financial incentive is a really efficient and effective way of catching security flaws.
  17. Rocketman macrumors 603


    It took 2 years after the major bruhaha for Apple to implement this. They really are that bureaucratic.
  18. wschutz macrumors 6502

    Jun 5, 2007
    It is actually cheap business :) Instead of hiring more people or well... dedicating some more resources, you just let people try to do your work and once they do it, you decide how much is worth if anything at all. This last part is the smart part, because it is Apple deciding how much is worth.

    Of course, for a teenager or such who discoveries some vulnerability any cash is probably good... but for a company who does security research, I'm sure that this money is little to nothing. They will likely get more if they sell the knowledge to some third party (or license it) :)

    Exactly... it is all about increasing the number of eyes without paying any penny for them, only those who 'succeed' and are willing to 'risk' the decision of payment by Apple. If Apple would have to pay for all those eyes, it would not obviously be worth it, but... we live in this so called sharing economy, right? A few create an app for others to do the work while you cash in as an intermediary with little to zero responsibilities...
  19. ryanlindner macrumors newbie


    Dec 18, 2012
    I found a bug. For some reason since SJ has gone apple can't make anything innovative.
  20. bennibeef macrumors 6502

    May 22, 2013
    the bruhaha was more of the kind "dumb passwords with missing two factor authentication" than a hack or similar
  21. AppleScruff1 macrumors G3


    Feb 10, 2011
    What about the watch bands? :p
  22. SoSickSadNslOw macrumors member


    Jul 26, 2016
    United Kingdom
    Great move, finally. No matter how many people you hire in house, there will always be someone out there who gets lucky or knows more about something specific.
  23. Rocketman macrumors 603


    The brouhaha is continued police bypass and side loading and jailbreak.

    Celebrities not keeping their passwords secure is not our problem. Heck I want to see them nude!
  24. RedOrchestra Suspended

    Aug 13, 2012
    Wherever the discussion turns to Quality Control IT always points to the source and whether or not companies have lost control of the build and whether or not they have the right people doing the build.
  25. modemthug macrumors regular

    Apr 20, 2010

Share This Page