Apple is launching its first security bounty. The news comes on the heels of a presentation from Apple’s Ivan Krstic at the annual Black Hat USA security conference in Las Vegas.
Krstic runs security engineering and architecture at Apple and presented an in-depth look at iOS security. This was Apple’s first appearance at Black Hat in four years.
When the program goes live in September, security researchers probing Apple’s latest products for weaknesses will be able to hand over working exploits for cash rewards, or bounties. Smaller firms and industry organizations are no stranger to bug bounty incentives, making Apple one of the last major consumer electronics brands to move away from internal testing and toward public incentives.
The categories and issues up for consideration, along with their bounties, are as follows:
- Secure boot firmware components – up to $200,000.
- Extraction of confidential material protected by the Secure Enclave Processor – up to $100,000.
- Execution of arbitrary code with kernel privileges – up to $50,000.
- Unauthorized access to iCloud account data on Apple servers – up to $50,000.
- Access to sandboxed processes to user data outside of the sandbox – up to $25,000.
But Apple tells me that this isn’t an attempt to be exclusive. The plan is to open it up to more individuals and organizations over time. Apple also says that if someone not associated with an invited organization responsibly discloses a vulnerability, that feedback will be welcome and they may be invited to join the formal process.
With the bug bounty program Apple hopes to incentivize threat discovery, a model that plays to both white and gray hat hackers. The more eyes on its products, the higher the chance Apple has of detecting and dealing with a threat before it impacts millions of device owners around the world.
A long time coming
Although it’s great that Apple is introducing a security bounty, it’s worth noting that the company has taken its time getting here. Nearly every other major tech company – including Microsoft, Google and Facebook – have offered security bounties for years.