Apple finally launches its long-awaited bug bounty program at the information security conference, Black Hat, in Las Vegas. The tech magnate will now pay up to $200,000 to hackers for identifying vulnerabilities in its products.
The iPhone maker usually relies on its own security squads to fix flaws. This is the first time when Apple announces such a program. Apple’s bug bounty program will be initially limited to a handful of selected researchers who Apple will ask to help find security bugs in five specific categories.
Apple said that the researchers’ team has been selected from the group of experts who have earlier assisted Apple in identifying bugs, but they have not been rewarded for that work. The maker of iPhones and iPads said it has made a decision to limit the extent of the program at the recommendation of other companies that have earlier launched bounty programs.
Rich Mogull, CEO of Securosis and a security analyst who maintain checks on iOS security said that limiting the number of researchers would keep Apple away from dealing with the flood of low-value bug reports. According to Rich,
“Fully open programs can definitely take a lot of resources to manage.”
The new program will start as invite-only. For now, Apple has no plans to expand the bounty program. Apple says the bug bounty program will become more and more open as it matures and if a new member approaches the company with a significant report, they’ll be invited into the new program to work it through.
The head of Apple security and Architecture, Ivan Krstic, said in a statement,
“With over a billion active devices and in-depth security protections spanning every layer from silicon to software, Apple works to advance the state of the art in mobile security with every release of iOS.”
Payment depends on hack: Apple said hackers who’ll be able to access sandboxed app data can claim up to $25,000 while by compromising secure boot firmware components they can ask for $200,000 maximum.
In case of Apple, switching from relying on researchers to offering hackers a reward seems motivated by the hack of iPhone 5C related to the San Bernardino shooting. During that, FBI asked Apple to give access to the smartphone belonging to the shooting, but Apple refused to do so, stating that such a move can weaken the data security provided by iPhones. Later FBI unlocked the device with the assistance of a third party.
Because of that, Apple perhaps is hoping that the bug bounty program will make sure that researchers who identify flows will report back to Apple instead of third party companies.
Bug bounty programs, these days, are common among many companies, including Facebook, Google, Microsoft, Yahoo, AT&T, Tesla Motors, and Uber.