Apple finally rewarding people for finding security flaws

Apple announced the launch of a bug bounty program, offering up to $200,000 for some discoveries.

Apple’s head of security engineering and architecture, Ivan Krstic, made the announcement at Black Hat. The bug bounty program will get underway in September.

It has taken Apple some time to embrace this type of initiative, which sees researchers and hackers rewarded for their discoveries and submissions of security vulnerabilities. In fact, Apple was criticised during its battle with the FBI when the latter was trying to break into an iPhone used by Syed Farook, one of the individuals involved in the San Bernardino shooting last December. It was believed that Apple's unwillingness to reward researchers to share information of vulnerabilities resulted in the FBI being able to find a third party to exploit a flaw.

Krstic told attendees at Black Hat, “Feedback that we’ve heard pretty consistently both from my team at Apple and also from researchers directly is that it’s getting increasingly more difficult to find some of those most critical types of security vulnerabilities. So the Apple Security Bounty Program is going to reward researchers who actually share critical vulnerabilities with Apple.”

There will be five categories of risk and reward:

  • Vulnerabilities in secure boot firmware components: Up to $200,000
  • Vulnerabilities that allow extraction of confidential material from Secure Enclave: Up to $100,000
  • Executions of arbitrary or malicious code with kernel privileges: Up to $50,000
  • Access to iCloud account data on Apple servers: Up to $50,000
  • Access from a sandboxed process to user data outside the sandbox: Up to $25,000

Interestingly, Apple is hoping that researchers who receive a reward will do some good with it. Apple is encouraging them to donate their reward to charity, and if Apple approves of a researcher’s selected institution, it will match their donation.

More in this section

Lunchtime
News Wrap

A lunchtime summary of content highlights on the Irish Examiner website. Delivered at 1pm each day.

Sign up
Revoiced
Newsletter

Our Covid-free newsletter brings together some of the best bits from irishexaminer.com, as chosen by our editor, direct to your inbox every Monday.

Sign up

HOME DELIVERY SERVICE

Have the Irish Examiner delivered to your door. No delivery charge. Just pay the cover price.