Apple Launches Bug Bounty Program, Offers Up to $200,000 for Software Vulnerabilities Discovered

[Keirasplace]

Not quite, doesn't matter how many gifted employees you have in-house you'll never catch everything. A familiar work environment breeds a familiar way of thinking, sometimes you need someone to take a look at code from a completely different perspective and it's amazing what can be spotted hiding in plain sight. Happens in all walks of life.

Increasing the number of eyes on their systems with a financial incentive is a really efficient and effective way of catching security flaws.

It has to do with what you can actually test/devellop in house vs what the whole world can test/develop. That's why you have public/dev betas and big companies buy statups and don't expect internal R&D to uncover all future tech the company will use.

 

[vladi]

$200,000 is a great incentive to help detect these issues. Hopefully it's successful.

$200,000 for bootrom exploit is absolutely nothing. Those who can crack bootrom will have no trouble selling the exploit for few millions.

 

[44267547]

$200,000 for bootrom exploit is absolutely nothing. Those who can crack bootrom will have no trouble selling the exploit for few millions.

It's a start.

 

[kdarling]

It's a start.

Yes, it's a very good idea, and better late than never.

What some are commenting about, is that the relatively small bounties... especially for the super critical secure enclave... do not indicate at first glance that Apple has a lot of confidence in their current code.

The amounts are also nothing in comparison to what an organization like say, the FBI, might pay for an enclave exploit that would allow them to unlock encrypted phones.

So it would be a good idea, both to show confidence in iOS security, and from a practical acquisition standpoint, for Apple to put a bounty in the millions on at least some sections.

Perhaps as time goes by, Apple will think so too.

 

[Mago]

The program will be invite only for the time being, limited to a few dozen researchers.

A elite of friends... c'mon... this is the most useles zeroday bug bounty program.

to be a serious respectable ZDBB should be open to every iOS developer, not just those friends or the comite of usual suspects (uor sual benefactors from apple's pockets).

 

[Negritude]

What about macOS?

 

[now i see it]

If I could hack the secure enclave, which would essentially Bork hundreds of millions of iOS gadgets, Apple would pay me whatever $$ I asked for. Reward changes to Ransom.

 

[shadowbird423]

Most of the Chinese are paid the same or more I would assume thanks to the stores they promote. So don't despair yet.

This is the truth everyone.

Making a jailbreak or selling the exploit on the gray/black market will always be worth it. And that's on the kernel level. Anything on the level of secure boot would easily fetch 1mil + if sold on the open market because that's not fixable in software updates.