Apple’s head of security engineering and architecture, Ivan Krstic, made the announcement at Black Hat. The bug bounty program will get underway in September.
It has taken Apple some time to embrace this type of initiative, which sees researchers and hackers rewarded for their discoveries and submissions of security vulnerabilities. In fact, Apple was criticised during its battle with the FBI when the latter was trying to break into an iPhone used by Syed Farook, one of the individuals involved in the San Bernardino shooting last December. It was believed that Apple's unwillingness to reward researchers to share information of vulnerabilities resulted in the FBI being able to find a third party to exploit a flaw.
Krstic told attendees at Black Hat, “Feedback that we’ve heard pretty consistently both from my team at Apple and also from researchers directly is that it’s getting increasingly more difficult to find some of those most critical types of security vulnerabilities. So the Apple Security Bounty Program is going to reward researchers who actually share critical vulnerabilities with Apple.”
- Vulnerabilities in secure boot firmware components: Up to $200,000
- Vulnerabilities that allow extraction of confidential material from Secure Enclave: Up to $100,000
- Executions of arbitrary or malicious code with kernel privileges: Up to $50,000
- Access to iCloud account data on Apple servers: Up to $50,000
- Access from a sandboxed process to user data outside the sandbox: Up to $25,000
Interestingly, Apple is hoping that researchers who receive a reward will do some good with it. Apple is encouraging them to donate their reward to charity, and if Apple approves of a researcher’s selected institution, it will match their donation.