facebook rss twitter

Apple's first ever bug bounty program starts in September

by Mark Tyson on 5 August 2016, 13:41

Tags: Apple (NASDAQ:AAPL)

Quick Link: HEXUS.net/qac5fg

Add to My Vault: x

Apple's Ivan Krstic, head of Security Engineering and Architecture, has announced that the firm will offer cash bounties for hackers and researchers who find and report bugs and security issues in its products. With its astounding wealth it is only appropriate that Apple is offering perhaps the largest potential single payout to bug bounty hunters – up to $200,000 (£152,000) per bug. Krstic's main presentation at Black Hat USA 2016 was about iOS security.

At the current time Apple says it will only open its bounty program to "a couple dozen select researchers," reports the Securosis blog. In a rough sketch of the available bounties, Apple is said to be offering sums from $25,000 up to the headlining figure of $200,000. TechCrunch detailed a bullet point bug bounty price list as below:

  • Vulnerabilities in secure boot firmware components: Up to $200,000
  • Vulnerabilities that allow extraction of confidential material from Secure Enclave: Up to $100,000
  • Executions of arbitrary or malicious code with kernel privileges: Up to $50,000
  • Access to iCloud account data on Apple servers: Up to $50,000
  • Access from a sandboxed process to user data outside the sandbox: Up to $25,000
  • If you chose to done your bounty to an approved charity the above sums will be doubled by Apple.

There are several reasons behind the select choice of researchers, rather than a free-for-all bug bounty program. Firstly it is thought that Apple doesn't want to get into costly bidding wars against governments and criminal organisations. Secondly it won't need to filter a potential deluge of "low-quality, poorly validated bugs," with the engineering obvious time and expense that involves.

The model Apple is using was designed following advice from companies that have previously begun bug bounty programs. According to a Reuters report the chosen security researchers "have previously helped Apple identify bugs, but have not been compensated for that work". Apple will however "slowly expand the program," as new researchers provide useful disclosures, says TechCrunch.

Tech industry rivals to Apple, such as Google, Facebook, Yahoo!, and Microsoft have long operated bug bounty programs. Microsoft has coughed up over $1.5 million in rewards to security researchers over the last three years, and Facebook has dished out over $5 million in the last five years.

HEXUS Forums :: 4 Comments

Login with Forum Account

Don't have an account? Register today!
Posted by chinf - Fri 05 Aug 2016 18:09
“If you chose to done your bounty” - should probably read "If you choose to donate your bounty"
Posted by Plasmastorm - Sun 07 Aug 2016 14:05
But….But….Apple products are perfect in every way ! Everyone knows that !
Posted by Luke7 - Sun 07 Aug 2016 18:58
chinf
“If you chose to done your bounty” - should probably read "If you choose to donate your bounty"

I thought this, however this “done” is pronounced like “own” with a “d” rather than “dun”. This made me think it may be an old or new verb form of donate, but I couldn't find much evidence of this (in 60 seconds of googling). I do think I've heard this before though and I'm not entirely sure that this “done” form is wholly incorrect, though I will admit that it is unpleasant to both ear and eye.
Posted by jnutt - Mon 08 Aug 2016 11:58
Plasmastorm
But….But….Apple products are perfect in every way ! Everyone knows that !
Obviously think because they are so perfect program wont cost them a cent