Apple Launches Bug Bounty Program, offering up to $200K for vulnerabilities

At the Black Hat conference, an annual event designed for the global InfoSec community, Apple announced that it is planning a bug bounty program that will offer hackers cash in exchange for revealing undisclosed vulnerabilities in their products. The program will launch in September and will hand out cash against working exploits on the latest version of iOS or the latest hardware from Apple.

The program will be invite-only initially, with a few dozen researchers onboard. However, Apple says that it can open more as it grows. Plus, if someone provides Apple with a significant bug, they will be invited to the program. The company is going with an invite-only method to keep suspicious submissions away and to ensure trusted researchers get adequate support from it.

Several major technology companies, such as Microsoft and Google, have long offered similar programs, but Apple has remained a holdout until now. The iPhone-maker will pay anywhere between $25K and $200K for exploits, depending on where it is and what it does.

According to TechCrunch, Apple’s new bug bounty program is part of Apple’s effort to open up to hackers, researchers, and cryptographers who want to help improve the company’s security.

Apple will be offering bounties of up to $200,000 to researchers depending on the vulnerability that’s discovered. Secure boot firmware components will earn $200,000 at the high end, while smaller vulnerabilities, like access from a sandboxed process to user data outside of the sandbox, will earn $25,000.

Although each category of vulnerability maxes out at the given rate, Apple will determine the exact reward amount based on several factors: the clarity of the vulnerability report; the novelty of the problem and the likelihood of user exposure; and the degree of user interaction necessary to exploit the vulnerability.

Apple plans to launch its new bug bounty program in September. To be eligible for a reward as part of the program, researchers will need to provide proof-of-concept on the latest versions of iOS and the company’s newest hardware. Apple will also encourage researchers to donate their earnings to charity and will match all bug bounty donations.

Leave a Reply