Skip to main content

Apple plays catch-up with a bug bounty program coming in September

apple store logo
Google, Facebook, and Microsoft all have had bug bounty programs for quite some time. Hackers and security enthusiasts work to find bugs and exploits, and in return they receive large cash prizes. While Apple has been willing to accept vulnerability disclosures, it has never explicitly offered cash awards for them. Not anymore.

Announced at the Black Hat conference, Apple will unveil a program in September that will offer a cash reward for people who discover exploits and vulnerabilities in its suite of products, according to TechCrunch. The program will focus on Apple’s most recent products, meaning iOS 10 and the new devices rumored to launch in the fall.

Offering a cash reward is a popular method of squashing bugs and closing loopholes in software and hardware these days. It’s so popular, the Department of Defense launched a “Hack the Pentagon” program with a $150,000 bounty budget. Google recently said it’s increasing its bug bounty for Android up to 50 percent above what it currently offers.

The bugs have been sorted into five categories: exploits in secure boot firmware components; extracting data from Secure Enclave; executing arbitrary or malicious code with kernel privileges; access to iCloud account data on Apple servers; and access from a sandboxed process to user data outside the sandbox.

The rewards range between $200,000 and $20,000. In an unusual move, Apple will encourage people who receive rewards to donate them to charity, and the Cupertino company will match donations to approved institutions.

Apple’s move may have been a direct consequence of the San Bernardino shootings in December 2015. The shooter left behind a locked iPhone, and while Apple initially aided the investigation, the Cupertino company refused a court order that demanded backdoor access into the iPhone. This prompted an encryption battle between the U.S. Department of Justice and the Cupertino company, which eventually led to the FBI purchasing a method to hack the iPhone from third-party hackers.

The program will start as invitation-only so as to eliminate a flood of fake submissions, but if a party discloses an important bug to Apple they will be invited into the program.

Editors' Recommendations

Julian Chokkattu
Former Digital Trends Contributor
Julian is the mobile and wearables editor at Digital Trends, covering smartphones, fitness trackers, smartwatches, and more…
Sony’s revamped PlayStation bug bounty program offers cash rewards
Two people play a soccer game on PS4

Sony is inviting one and all to hunt down bugs on its PlayStation platform for some potentially big cash payouts.

The entertainment giant has actually had a bug bounty program in place for some time, but operated it privately with select researchers. This week’s announcement means the program is now open to everyone, including “the security research community, gamers, and anyone else,” Geoff Norton, Sony’s senior director of software engineering, wrote in a blog post about the expansion.

Read more
Apple pays $75,000 to hacker for discovery of exploits to hijack iPhone camera
iPhone 11 Pro Max vs. iPhone XS Max

Apple awarded $75,000 to a hacker who discovered exploits that allowed him to hijack the cameras of iPhones and Macs.

Security researcher and former Amazon Web Services security engineer Ryan Pickren disclosed at least seven zero-day vulnerabilities in Safari to Apple, according to Forbes. Three of these vulnerabilities may be used to hijack the cameras of iOS and macOS devices.

Read more
Microsoft offers up to $20,000 to identify security vulnerabilities in Xbox Live
Xbox One S All-Digital Edition review

When it comes to securing complex products, companies are increasingly turning to bug bounty programs to invite members of the public to find security vulnerabilities. Google's bug bounty program handed out $6.5 million last year, and Apple recently expanded its program to cover macOS bugs as well as iOS bugs.

Now Microsoft is expanding its own bug bounty program from covering software like its Office suite and its Edge browser to also covering the Xbox Live network and services. The company will pay out rewards to anyone who can find and reproduce a security vulnerability in the Xbox Live system.

Read more