Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Apple
    • Apple
    • Cybersecurity

    Apple Launches Bug Bounty With Rewards of Up to $200K

    By
    Sean Michael Kerner
    -
    August 5, 2016
    Share
    Facebook
    Twitter
    Linkedin
      Apple Black Hat

      LAS VEGAS—Ivan Krstic, head of Apple Security Engineering and Architecture, was a surprise late addition to the Black Hat USA conference here Aug. 4 in a session in which he detailed upcoming security features in iOS 10. At the end of the talk, Krstic made an unexpected announcement—an Apple bug bounty program.

      “I have some news. I’m very happy to say that Apple today is announcing an Apple security bug bounty program,” Krstic said as the capacity crowd erupted into spontaneous applause.

      Over the years, Apple has benefited from the feedback of security researchers, Krstic said, but it is increasingly difficult to find the most severe vulnerabilities. To that end, the Apple security bug program will reward researchers who share critical vulnerabilities with Apple. Krstic added that Apple is making it a top priority to resolve issues as quickly as possible as well as provide public recognition for researchers.

      The bug bounty program isn’t yet comprehensive; rather in its initial phase it covers a subset of potential vulnerabilities. Among the categories are secure boot firmware components, which is also the top reward at $200,000 per bug. A flaw that enables execution of arbitrary code with kernel privileges will earn a researcher up to $50,000, as will the unauthorized access to iCloud account data on Apple’s servers. Finally, Apple will pay up to $25,000 for vulnerabilities that will enable from a sandboxed process access to users’ data outside of that sandbox.

      “We believe these payment amounts are commensurate with the level of difficulty in attacking some of these systems,” Krstic said.

      If researchers choose to donate their rewards to charity, Apple will match the donation. Krstic noted that the listed amounts are the maximum payouts from Apple, with the precise amount determined after Apple’s engineering team reviews a submitted vulnerability. A security researcher will need to clearly document the flaw with a proof of concept and prove that it can work on the latest version of iOS. Additionally, Krstic’s team will look to see how much user interaction is required for a vulnerability to actually work.

      “We know there are important vulnerabilities elsewhere, but this is where we are starting today,” he said.

      The program goes live in September and will initially be a private invite-only effort. Krstic said that he will be inviting a “few dozen” top researchers to participate in the program.

      “It’s not meant to be an exclusive club,” he said. “So if someone outside of the program brings us a bug that would be covered by the program, we will welcome that.”

      Krstic’s talk at Black Hat is the first time an Apple employee has made a presentation about Apple security at the security conference since 2012. That talk was widely criticized, as the speaker, Apple Platform Security Manager Dallas De Atley, declined to take any questions, which is something that is generally expected from all Black Hat speakers. Krstic did take questions, but he only answered questions that pertained to the details he provided on Apple security during his talk.

      The first question he got was about the influence of the FBI’s efforts to unlock the iPhone on Apple’s iOS 10 security architecture.

      “I’m an engineer. I’m happy to answer technical questions about what I’ve covered today,” Krstic responded.

      Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

      Sean Michael Kerner
      Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.

      MOST POPULAR ARTICLES

      Cybersecurity

      Visa’s Michael Jabbara on Cybersecurity and Digital...

      James Maguire - May 17, 2022 0
      I spoke with Michael Jabbara, VP and Global Head of Fraud Services at Visa, about the cybersecurity technology used to ensure the safe transfer...
      Read more
      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      Chris Preimesberger - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Cloud

      Yotascale CEO Asim Razzaq on Controlling Multicloud...

      James Maguire - May 5, 2022 0
      Asim Razzaq, CEO of Yotascale, provides guidance on understanding—and containing—the complex cost structure of multicloud computing. Among the topics we covered:  As you survey the...
      Read more
      Big Data and Analytics

      GoodData CEO Roman Stanek on Business Intelligence...

      James Maguire - May 4, 2022 0
      I spoke with Roman Stanek, CEO of GoodData, about business intelligence, data as a service, and the frustration that many executives have with data...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2021 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×