Apple Launches its First Bug Bounty Program

Over the past five years, most major tech companies have instituted bug bounty programs, welcoming vulnerability reports from hackers and reimbursing for reports in cash, reported TechCrunch. Companies that don’t have the technical expertise to run their own bounty programs have outsourced the security work to outside firms, it said. But for years, Apple remained a holdout, said USA Today. While security has been a crucial part of its corporate narrative, Apple has quietly refused to pay for bug reports, at times frustrating security researchers who found it difficult to report flaws to the company. “Apple historically had a rough relationship with researchers,” said Rich Mogull, CEO of Securosis and a security analyst who keeps tabs on iOS security. “Over the last 10 years, that has changed a lot and become more positive.” The bug bounty program, he says, is another step in the right direction. “Apple is obviously spending a lot of time doing this internally, putting their best people on it, but they are saying, ‘We are having a harder time finding these things.’ They are saying, ‘In our desire to continue to make security an evolving conversation, it will be helpful to expand beyond our walls,” added Ben Bajarin, a consumer technology researcher. “This is an expansion of security work they’ve done before.” The program launches in September with five categories of risk and reward: 1. Vulnerabilities in secure boot firmware components: Up to $200,000 2. Vulnerabilities that allow extraction of confidential material from Secure Enclave: Up to $100,000 3. Executions of arbitrary or malicious code with kernel privileges: Up to $50,000 4. Access to iCloud account data on Apple servers: Up to $50,000 5. Access from a sandboxed process to user data outside the sandbox: Up to $25,000 To be eligible for a reward, researchers will need to provide a proof-of-concept on the latest iOS and hardware. Although each category of vulnerability maxes out at the given rate, Apple will determine the exact reward amount based on several factors: the clarity of the vulnerability report; the novelty of the problem and the likelihood of user exposure; and the degree of user interaction necessary to exploit the vulnerability. In an unusual twist, said ZDNet, Apple plans to encourage researchers to donate their earnings to charity. If Apple approves of a researcher’s selected institution, it will match their donation — so a $200,000 reward could turn into a $400,000 donation.