Apple is known for its obsession with the security of its devices. It even went on to challenge FBI and the US court when it came to unlocking its phones. Naturally, it has remained distant to external security researchers who often report bugs in products of tech companies. However, that is changing now as Apple is coming up with its own bug bounty program to reward researchers.
At the recent Black Hat conference, Apple’s head of security engineering and architecture, Ivan Krstic made this announcement. He revealed that Apple bug bounty program will offer rewards up to $200000 to researchers who would discover vulnerabilities in its products.
Interestingly, the announcement from a member of the Apple’s security team at Black Hat was in itself a big surprise. This is because Apple usually makes such kind of announcements in its own event WWDC and no Apple person had spoken at the Black Hat in past four years.
Coming back to the bounty program, initially, it will only be an invite-only program. Apple will only allow researchers who have previously helped it in discovering bugs, to participate in the program.
The company said that opening this program to the general public could lead to overshadowing of high-risk vulnerabilities amidst a large number of reports. However, it plans to expand the program in future as it is open to new researchers who could discover valuable risks.
The Apple bug bounty program has five categories of risks and rewards. These include:
- vulnerabilities in secure boot firmware components (reward up to $200,000);
- data extraction from Secure Enclave (up to $100,000);
- execution of malicious codes with kernel privileges (up to $50000);
- access to iCloud on apple servers (up to $50000);
- and access from sandboxed process to user data(up to $25000).
The researchers need to give a proof-of-concept on the latest iOS and hardware to get eligible for any of the above rewards.
Apple will make the final decision on the amount of reward depending on various factors. These factors include report clarity, novelty of the problem and possibility of user exposure, and degree of user interaction required to exploit the vulnerability.
Previously, Apple used to reason that black market and the government put high bids and that’s why it did not start a bug bounty program. However, with increasing complexity of the systems, Apple seems to have a change of heart.
The company said that it has become increasingly more difficult to discover vulnerabilities for both in-house and external researchers. That’s why it is time to incentivise researchers for providing bug reports.
Notably, through its bug bounty program, Apple is also encouraging researchers to donate their reward to charity. Moreover, Apple will double the reward amount if it approves the selected institution. So, a $50,000 reward could become into a $100000 donation.
Apple will open the bug bounty program in September this year on an invite basis.