Apple announced at the Black Hat USA 2016 security conference that ended in Last Vegas a few hours ago that the company would be setting up and launching a bug bounty program in the coming months.
Among the Silicon Valley elite, Apple was one of the few last standing tech giants that didn't run a bug bounty program. Microsoft has one, Google has one, Twitter has one, Yahoo has one, and so do Tesla, Uber, and many more.
Many were surprised that Ivan Krstic, Apple's head of security, had agreed to give a public talk about the company's security features, which until now have been kept secret. Nobody expected the big announcement that came during his presentation, ending Black Hat on a high note.
Invite-only, for now
Apple said the program would be an invite-only affair in its first stage, with a few select security researchers asked to participate.
As the program matures, and as Apple's security team gets used to working with outside bug reports, the program will slowly open for more researchers, and then to the entire infosec community.
Around two-dozen security researchers are expected to join the program in its initial phase. The company also didn't reveal if it would deploy its own platform for handling bugs, like Facebook, Google, and Microsoft, or if it would use third-party services from HackerOne or Bugcrowd.
FBI scandal influenced company's decision
Even if not mentioned in Krstic's presentation, the recent FBiOS scandal had a huge role to play in the company's decision to take on outside help in fixing and hardening its products against both hackers and state-backed attacks.
During this year's Black Hat security conference, several other companies announced bug bounty programs. The list includes Russian antivirus maker Kaspersky Lab, hardware maker Panasonic, and financial giant MasterCard.
Below is the rewards tier Apple announced for the program's first stage. The company said that other bugs would be rewarded at its discretion. Additionally, if the researcher decides to give their bug reward for charity, Apple might double the sum. There are no details on which products fall into the bug bounty program's scope.
Bug type | Reward |
---|---|
Secure boot firmware components | Up to $200,000 |
Extraction of confidential material protected by the Secure Enclave Processor | Up to $100,000 |
Execution of arbitrary code with kernel privileges | Up to $50,000 |
Unauthorized access to iCloud account data on Apple servers | Up to $50,000 |
Access from a sandboxed process to user data outside of that sandbox | Up to $25,000 |
At #BlackHat2016, Apple just announced a new Security Bounty program and has promised to prioritize pushing updates. pic.twitter.com/1jXW1tNMrb — Jay Freeman (saurik) (@saurik) August 4, 2016