Google, Facebook, and Microsoft all have had bug bounty programs for quite some time. Hackers and security enthusiasts work to find bugs and exploits, and in return they receive large cash prizes. While Apple has been willing to accept vulnerability disclosures, it has never explicitly offered cash awards for them. Not anymore.
Announced at the Black Hat conference, Apple will unveil a program in September that will offer a cash reward for people who discover exploits and vulnerabilities in its suite of products, according to TechCrunch. The program will focus on Apple’s most recent products, meaning iOS 10 and the new devices rumored to launch in the fall.
Offering a cash reward is a popular method of squashing bugs and closing loopholes in software and hardware these days. It’s so popular, the Department of Defense launched a “Hack the Pentagon” program with a $150,000 bounty budget. Google recently said it’s increasing its bug bounty for Android up to 50 percent above what it currently offers.
The bugs have been sorted into five categories: exploits in secure boot firmware components; extracting data from Secure Enclave; executing arbitrary or malicious code with kernel privileges; access to iCloud account data on Apple servers; and access from a sandboxed process to user data outside the sandbox.
The rewards range between $200,000 and $20,000. In an unusual move, Apple will encourage people who receive rewards to donate them to charity, and the Cupertino company will match donations to approved institutions.
Apple’s move may have been a direct consequence of the San Bernardino shootings in December 2015. The shooter left behind a locked iPhone, and while Apple initially aided the investigation, the Cupertino company refused a court order that demanded backdoor access into the iPhone. This prompted an encryption battle between the U.S. Department of Justice and the Cupertino company, which eventually led to the FBI purchasing a method to hack the iPhone from third-party hackers.
The program will start as invitation-only so as to eliminate a flood of fake submissions, but if a party discloses an important bug to Apple they will be invited into the program.
- Intel opens bug hunt to all security researchers, offers possible $250K payout
- Microsoft will pay you up to $250,000 to find Spectre-like flaws
- How Google’s ‘Project Zero’ task force races hackers to snuff out bugs
- Hackers can bypass the Windows 10 S lockdown due to security flaw
- Internet Explorer has a zero-day bug that Microsoft needs to fix