Apple Launches Bug Bounty With Rewards of Up to $200K
In a surprise announcement at Black Hat, Apple's security chief announces the company's first formal bug bounty program.LAS VEGAS—Ivan Krstic, head of Apple Security Engineering and Architecture, was a surprise late addition to the Black Hat USA conference here Aug. 4 in a session in which he detailed upcoming security features in iOS 10. At the end of the talk, Krstic made an unexpected announcement—an Apple bug bounty program. "I have some news. I'm very happy to say that Apple today is announcing an Apple security bug bounty program," Krstic said as the capacity crowd erupted into spontaneous applause. Over the years, Apple has benefited from the feedback of security researchers, Krstic said, but it is increasingly difficult to find the most severe vulnerabilities. To that end, the Apple security bug program will reward researchers who share critical vulnerabilities with Apple. Krstic added that Apple is making it a top priority to resolve issues as quickly as possible as well as provide public recognition for researchers. The bug bounty program isn't yet comprehensive; rather in its initial phase it covers a subset of potential vulnerabilities. Among the categories are secure boot firmware components, which is also the top reward at $200,000 per bug. A flaw that enables execution of arbitrary code with kernel privileges will earn a researcher up to $50,000, as will the unauthorized access to iCloud account data on Apple's servers. Finally, Apple will pay up to $25,000 for vulnerabilities that will enable from a sandboxed process access to users' data outside of that sandbox.
"We believe these payment amounts are commensurate with the level of difficulty in attacking some of these systems," Krstic said.