Apple Launches Bug Bounty Program, Offers Up to $200,000 for Software Vulnerabilities Discovered

[MacRumors]

At today's Black Hat Conference, an annual event designed for the global InfoSec community, Apple's head of security engineering Ivan Krstic announced the launch of a bug bounty program that will see Apple paying money to individuals who discover major bugs and security flaws in the company's software.

Many major technology companies like Google and Microsoft offer bug bounty programs to encourage people to discover and report major vulnerabilities, but until now, Apple has declined to provide a similar program.

At #BlackHat2016, Apple just announced a new Security Bounty program and has promised to prioritize pushing updates. pic.twitter.com/1jXW1tNMrb - Jay Freeman (saurik) (@saurik) August 4, 2016

According to TechCrunch, Apple's new bug bounty program is part of Apple's effort to open up to hackers, researchers, and cryptographers who want to help improve the company's security.

Apple will be offering bounties of up to $200,000 to researchers depending on the vulnerability that's discovered. Secure boot firmware components will earn $200,000 at the high end, while smaller vulnerabilities, like access from a sandboxed process to user data outside of the sandbox, will earn $25,000.

Although each category of vulnerability maxes out at the given rate, Apple will determine the exact reward amount based on several factors: the clarity of the vulnerability report; the novelty of the problem and the likelihood of user exposure; and the degree of user interaction necessary to exploit the vulnerability.

Apple plans to launch its new bug bounty program in September. To be eligible for a reward as part of the program, researchers will need to provide proof-of-concept on the latest versions of iOS and the company's newest hardware. Apple will also encourage researchers to donate their earnings to charity and will match all bug bounty donations.

The program will be invite only for the time being, limited to a few dozen researchers. Apple plans to make it more open as it grows, and if a non-member discovers a significant bug, they'll be invited to the program.

Article Link: Apple Launches Bug Bounty Program, Offers Up to $200,000 for Software Vulnerabilities Discovered

 

[RedOrchestra]

The incredibly buggy new OS releases shows that Apple is no longer capable of doing it in-house - going the OUTSOURCING route.

 

[TheHorrorNerd]

The one that jumps out at me is the
"Unauthorized access to Icloud account data on Apple Servers" is only $50,000.00.
Hasn't Apple claimed that data has never been compromised on the Apple server side?

 

[44267547]

$200,000 is a great incentive to help detect these issues. Hopefully it's successful.

 

[TheHorrorNerd]

Can no longer do it in-house - going the OUTSOURCING route.

Oh come on... Most other companies "outsource" it... Its smart business.

 

[DarkCole]

That's pretty awesome.

 

[now i see it]

I discovered a bug in Apple's Mac update schedule. The Mac never seems to update. Can I collect $200,000?

 

[ramsey aguilera]

RIP to the juicy jailbreak community

 

[anzio]

The one that jumps out at me is the
"Unauthorized access to Icloud account data on Apple Servers" is only $50,000.00.
Hasn't Apple claimed that data has never been compromised on the Apple server side?

Although it's low, it is still a reasonable bounty for an online service. Even if it is currently seen as impenetrable

 

[EricTheHalfBee]

Great idea. iOS will always be more secure than Android, and this will only further that gap.

 

[x-evil-x]

RIP to the juicy jailbreak community

Yea I wonder what this means for jailbreaking. I'd imagine jailbreaking software would make more money giving these exploits to apple for money. Hopefully after the software has been released.

 

[TheHorrorNerd]

I discovered a bug in Apple's Mac update schedule. The Mac never seems to update. Can I collect $200,000?

And that's why its invite only...

 

[CanadianGuy]

The incredibly buggy new OS releases shows that Apple is no longer capable of doing it in-house - going the OUTSOURCING route.

Pretty much everyone does this, so this is a good move for Apple. You always need third parties to analyze your code/product since internal staff will always have some assumptions or standard ways of doing things that preclude you from testing all possibilities.

 

[TheHorrorNerd]

Although it's low, it is still a reasonable bounty for an online service. Even if it is currently seen as impenetrable

It kinda ranks their priorities as protecting data relatively low...

 

[Soba]

I think this is a great thing and it's about time!

Though considering the quality of Apple's software lately, it's also a great thing that they have such a large cash hoard.

 

[Twimfy]

The incredibly buggy new OS releases shows that Apple is no longer capable of doing it in-house - going the OUTSOURCING route.

Not quite, doesn't matter how many gifted employees you have in-house you'll never catch everything. A familiar work environment breeds a familiar way of thinking, sometimes you need someone to take a look at code from a completely different perspective and it's amazing what can be spotted hiding in plain sight. Happens in all walks of life.

Increasing the number of eyes on their systems with a financial incentive is a really efficient and effective way of catching security flaws.

 

[Rocketman]

It took 2 years after the major bruhaha for Apple to implement this. They really are that bureaucratic.

 

[wschutz]

Oh come on... Most other companies "outsource" it... Its smart business.

It is actually cheap business Instead of hiring more people or well... dedicating some more resources, you just let people try to do your work and once they do it, you decide how much is worth if anything at all. This last part is the smart part, because it is Apple deciding how much is worth.

Of course, for a teenager or such who discoveries some vulnerability any cash is probably good... but for a company who does security research, I'm sure that this money is little to nothing. They will likely get more if they sell the knowledge to some third party (or license it)

Increasing the number of eyes on their systems with a financial incentive is a really efficient and effective way of catching security flaws.

Exactly... it is all about increasing the number of eyes without paying any penny for them, only those who 'succeed' and are willing to 'risk' the decision of payment by Apple. If Apple would have to pay for all those eyes, it would not obviously be worth it, but... we live in this so called sharing economy, right? A few create an app for others to do the work while you cash in as an intermediary with little to zero responsibilities...

 

[ryanlindner]

I found a bug. For some reason since SJ has gone apple can't make anything innovative.

 

[bennibeef]

It took 2 years after the major bruhaha for Apple to implement this. They really are that bureaucratic.

the bruhaha was more of the kind "dumb passwords with missing two factor authentication" than a hack or similar

 

[AppleScruff1]

I found a bug. For some reason since SJ has gone apple can't make anything innovative.

What about the watch bands?

 

[SoSickSadNslOw]

Great move, finally. No matter how many people you hire in house, there will always be someone out there who gets lucky or knows more about something specific.

 

[Rocketman]

the bruhaha was more of the kind "dumb passwords with missing two factor authentication" than a hack or similar

The brouhaha is continued police bypass and side loading and jailbreak.

Celebrities not keeping their passwords secure is not our problem. Heck I want to see them nude!

 

[RedOrchestra]

Wherever the discussion turns to Quality Control IT always points to the source and whether or not companies have lost control of the build and whether or not they have the right people doing the build.

 

[modemthug]

The end of jailbreaking