Apple's Ivan Krstic, head of Security Engineering and Architecture, has announced that the firm will offer cash bounties for hackers and researchers who find and report bugs and security issues in its products. With its astounding wealth it is only appropriate that Apple is offering perhaps the largest potential single payout to bug bounty hunters – up to $200,000 (£152,000) per bug. Krstic's main presentation at Black Hat USA 2016 was about iOS security.
At the current time Apple says it will only open its bounty program to "a couple dozen select researchers," reports the Securosis blog. In a rough sketch of the available bounties, Apple is said to be offering sums from $25,000 up to the headlining figure of $200,000. TechCrunch detailed a bullet point bug bounty price list as below:
- Vulnerabilities in secure boot firmware components: Up to $200,000
- Vulnerabilities that allow extraction of confidential material from Secure Enclave: Up to $100,000
- Executions of arbitrary or malicious code with kernel privileges: Up to $50,000
- Access to iCloud account data on Apple servers: Up to $50,000
- Access from a sandboxed process to user data outside the sandbox: Up to $25,000
- If you chose to done your bounty to an approved charity the above sums will be doubled by Apple.
There are several reasons behind the select choice of researchers, rather than a free-for-all bug bounty program. Firstly it is thought that Apple doesn't want to get into costly bidding wars against governments and criminal organisations. Secondly it won't need to filter a potential deluge of "low-quality, poorly validated bugs," with the engineering obvious time and expense that involves.
The model Apple is using was designed following advice from companies that have previously begun bug bounty programs. According to a Reuters report the chosen security researchers "have previously helped Apple identify bugs, but have not been compensated for that work". Apple will however "slowly expand the program," as new researchers provide useful disclosures, says TechCrunch.
Tech industry rivals to Apple, such as Google, Facebook, Yahoo!, and Microsoft have long operated bug bounty programs. Microsoft has coughed up over $1.5 million in rewards to security researchers over the last three years, and Facebook has dished out over $5 million in the last five years.