Apple Launches £150,000 Bug Bounty Program
BLACK HAT 2016: Program will bait researchers into finding critical flaws in iCloud and secure boot firmware
In a first for the company, Apple is now offering monetary rewards for hackers who can find bugs in its security, pledging up to $200,000 (£152,000) in a bug bounty program designed to entice researchers to find flaws in Apple’s products.
Announced at the annual Black Hat security conference, Apple has traditionally steered clear of bug bounty programs, unlike a majority of its Silicon Valley compatriots like Google or Facebook.
Firmware components
The program, which launches in September, has five categories for eager ethical hackers.
Vulnerabilities found in secure boot firmware components will be rewarded with a generous $200,000, according to Mashable.
Vulnerabilities that allow for the extraction of confidential material from a supposedly ‘secure’ enclave will be worth $100,000.
If researchers can gain access to iCloud account data on Apple servers, they will be rewarded with $50,000. Access from a sandboxed process to user data outside the sandbox is worth up to $25,000.
The bug bounty program will initially only be open to a handful of researchers who have previously identified bugs in Apple software and products.
Apple had no further comment for TechWeekEurope about the bug bounty program.
Security vendor Kaspersky also announced a bug bounty program at Black in Las Vegas, claiming to be the first ever security company to offer its own bug bounty program. The development comes after the discovery of vulnerabilities with products from a number of leading security vendors.
The bug bounty program at Kaspersky Lab will officially begin on 2 August and last for a six-months. The firm will offer a total of $50,000 (£37,428) to security researchers for disclosing flaws.
Researchers will be tasked with analysing Kaspersky Internet Security and Kaspersky Endpoint Security for vulnerabilities.
In March, Google doubled its Chrome bug bounty from $50,000 to $100,000 for persistent compromise of a Chromebook in guest mode. Since launching its bug bounty program in 2010, Google has forked out more than $6m, including more than $2m in 2015 alone.