Apple Launches Bug Bounty Program, Offers Up to $200,000 for Software Vulnerabilities Discovered

Discussion in 'MacRumors.com News Discussion' started by MacRumors, Aug 4, 2016.

  1. MacRumors macrumors bot

    MacRumors

    Joined:
    Apr 12, 2001
    #1
    [​IMG]


    At today's Black Hat Conference, an annual event designed for the global InfoSec community, Apple's head of security engineering Ivan Krstic announced the launch of a bug bounty program that will see Apple paying money to individuals who discover major bugs and security flaws in the company's software.

    Many major technology companies like Google and Microsoft offer bug bounty programs to encourage people to discover and report major vulnerabilities, but until now, Apple has declined to provide a similar program.

    [​IMG]


    According to TechCrunch, Apple's new bug bounty program is part of Apple's effort to open up to hackers, researchers, and cryptographers who want to help improve the company's security.

    Apple will be offering bounties of up to $200,000 to researchers depending on the vulnerability that's discovered. Secure boot firmware components will earn $200,000 at the high end, while smaller vulnerabilities, like access from a sandboxed process to user data outside of the sandbox, will earn $25,000.
    Apple plans to launch its new bug bounty program in September. To be eligible for a reward as part of the program, researchers will need to provide proof-of-concept on the latest versions of iOS and the company's newest hardware. Apple will also encourage researchers to donate their earnings to charity and will match all bug bounty donations.

    The program will be invite only for the time being, limited to a few dozen researchers. Apple plans to make it more open as it grows, and if a non-member discovers a significant bug, they'll be invited to the program.

    Article Link: Apple Launches Bug Bounty Program, Offers Up to $200,000 for Software Vulnerabilities Discovered
     
  2. RedOrchestra, Aug 4, 2016
    Last edited: Aug 4, 2016

    RedOrchestra Suspended

    Joined:
    Aug 13, 2012
    #2
    The incredibly buggy new OS releases shows that Apple is no longer capable of doing it in-house - going the OUTSOURCING route.
     
  3. TheHorrorNerd macrumors regular

    Joined:
    Feb 25, 2015
    #3
    The one that jumps out at me is the
    "Unauthorized access to Icloud account data on Apple Servers" is only $50,000.00.
    Hasn't Apple claimed that data has never been compromised on the Apple server side?
     
  4. Relentless Power macrumors Penryn

    Relentless Power

    Joined:
    Jul 12, 2016
    #4
    $200,000 is a great incentive to help detect these issues. Hopefully it's successful.
     
  5. TheHorrorNerd macrumors regular

    Joined:
    Feb 25, 2015
    #5
    Oh come on... Most other companies "outsource" it... Its smart business.
     
  6. DarkCole macrumors regular

    DarkCole

    Joined:
    Jul 21, 2013
  7. now i see it macrumors 68030

    Joined:
    Jan 2, 2002
    #7
    I discovered a bug in Apple's Mac update schedule. The Mac never seems to update. Can I collect $200,000?
     
  8. ramsey aguilera macrumors newbie

    ramsey aguilera

    Joined:
    Jul 15, 2016
  9. anzio macrumors 6502

    Joined:
    Dec 5, 2010
    Location:
    Innisfil, Ontario, Canada
    #9
    Although it's low, it is still a reasonable bounty for an online service. Even if it is currently seen as impenetrable
     
  10. EricTheHalfBee Suspended

    Joined:
    Mar 10, 2013
    #10
    Great idea. iOS will always be more secure than Android, and this will only further that gap.
     
  11. x-evil-x macrumors 68040

    x-evil-x

    Joined:
    Jul 13, 2008
    #11
    Yea I wonder what this means for jailbreaking. I'd imagine jailbreaking software would make more money giving these exploits to apple for money. Hopefully after the software has been released.
     
  12. TheHorrorNerd macrumors regular

    Joined:
    Feb 25, 2015
    #12
    And that's why its invite only...
     
  13. CanadianGuy macrumors member

    CanadianGuy

    Joined:
    Jul 3, 2007
    Location:
    Ontario, Canada
    #13
    Pretty much everyone does this, so this is a good move for Apple. You always need third parties to analyze your code/product since internal staff will always have some assumptions or standard ways of doing things that preclude you from testing all possibilities.
     
  14. TheHorrorNerd macrumors regular

    Joined:
    Feb 25, 2015
    #14
    It kinda ranks their priorities as protecting data relatively low...
     
  15. Soba macrumors regular

    Soba

    Joined:
    May 28, 2003
    Location:
    Rochester, NY
    #15
    I think this is a great thing and it's about time!

    Though considering the quality of Apple's software lately, it's also a great thing that they have such a large cash hoard. :p
     
  16. Twimfy macrumors 6502a

    Twimfy

    Joined:
    Sep 11, 2011
    Location:
    UK
    #16
    Not quite, doesn't matter how many gifted employees you have in-house you'll never catch everything. A familiar work environment breeds a familiar way of thinking, sometimes you need someone to take a look at code from a completely different perspective and it's amazing what can be spotted hiding in plain sight. Happens in all walks of life.

    Increasing the number of eyes on their systems with a financial incentive is a really efficient and effective way of catching security flaws.
     
  17. Rocketman macrumors 603

    Rocketman

    #17
    It took 2 years after the major bruhaha for Apple to implement this. They really are that bureaucratic.
     
  18. wschutz macrumors 6502

    Joined:
    Jun 5, 2007
    #18
    It is actually cheap business :) Instead of hiring more people or well... dedicating some more resources, you just let people try to do your work and once they do it, you decide how much is worth if anything at all. This last part is the smart part, because it is Apple deciding how much is worth.

    Of course, for a teenager or such who discoveries some vulnerability any cash is probably good... but for a company who does security research, I'm sure that this money is little to nothing. They will likely get more if they sell the knowledge to some third party (or license it) :)

    Exactly... it is all about increasing the number of eyes without paying any penny for them, only those who 'succeed' and are willing to 'risk' the decision of payment by Apple. If Apple would have to pay for all those eyes, it would not obviously be worth it, but... we live in this so called sharing economy, right? A few create an app for others to do the work while you cash in as an intermediary with little to zero responsibilities...
     
  19. ryanlindner macrumors newbie

    ryanlindner

    Joined:
    Dec 18, 2012
    #19
    I found a bug. For some reason since SJ has gone apple can't make anything innovative.
     
  20. bennibeef macrumors 6502

    Joined:
    May 22, 2013
    #20
    the bruhaha was more of the kind "dumb passwords with missing two factor authentication" than a hack or similar
     
  21. AppleScruff1 macrumors G3

    AppleScruff1

    Joined:
    Feb 10, 2011
    #21
    What about the watch bands? :p
     
  22. SoSickSadNslOw macrumors member

    SoSickSadNslOw

    Joined:
    Jul 26, 2016
    Location:
    United Kingdom
    #22
    Great move, finally. No matter how many people you hire in house, there will always be someone out there who gets lucky or knows more about something specific.
     
  23. Rocketman macrumors 603

    Rocketman

    #23
    The brouhaha is continued police bypass and side loading and jailbreak.

    Celebrities not keeping their passwords secure is not our problem. Heck I want to see them nude!
     
  24. RedOrchestra Suspended

    Joined:
    Aug 13, 2012
    #24
    Wherever the discussion turns to Quality Control IT always points to the source and whether or not companies have lost control of the build and whether or not they have the right people doing the build.
     
  25. modemthug macrumors regular

    Joined:
    Apr 20, 2010

Share This Page