Apple on Thursday introduced its first bug bounty program, set to launch in September.
Ivan Krstic, head of Apple security engineering and architecture, announced the program during his presentation at Black Hat security conference in Las Vegas.
The focus reportedly is on an exceptionally high level of service, and on quality over quantity. Participation in the program initially will be by invitation only, and it will be limited to a select group of researchers.
However, Apple plans to work with other researchers on a case-by-case basis, and the company reportedly will expand the program over time.
The bug bounty program “signifies how important it is to have community-based security versus an exclusive in-house security program,” noted Chenxi Wang, chief strategy officer at Twistlock.
“To their credit [Apple] have done a great job in the quality and security of their software,” she told TechNewsWorld, “but even Apple can’t do it alone. They need the collective brain power of the hacking community to help.”
Reward Potential
Apple will offer these bounties:
- Up to US$200,000 for vulnerabilities in boot firmware components;
- Up to $100,000 for flaws that allow the extraction of confidential material from the Secure Enclave Processor;
- Up to $50,000 for vulnerabilities allowing the execution of arbitrary code with kernel privileges, or those that allow unauthorized access to iCloud account data on Apple servers; and
- Up to $25,000 for flaws that enable access from a sandboxed process to user data outside that sandbox.
Apple also may reward researchers who share an exceptional, critical vulnerability outside of the five categories listed.