Apple Bug Bounty Program Debuts, Pays Hackers Up to $200K to Find Flaws

Apple has announced this evening it has joined other tech companies in launching a bug bounty program, which pays security researchers when they uncover vulnerabilities in iOS or recent generations of their hardware.

Apple bug bounty program

Image via @saurik

According to The Verge:

The new program will begin as invite-only, including only a few dozen researchers. Still, Apple says the program will become more open as it grows, and if a non-member approaches Apple with a significant bug, they’ll be invited into the program to work it through. The invite system is unusual for a bounty program, but Apple explained it as necessary to weed out spurious submissions and make sure trusted researchers had adequate support from the company.

So it’s an invite-only bug bounty program starting in September, but if an exploit is discovered by a non-member, they’ll get in. The program doesn’t include macOS yet.

Rich Mogull from Securosis, who is attending the Black Hat USA conference where Apple made the announcement, has listed the bug bounty payouts based on exploits:

  • Secure boot firmware components—up to $200,000
  • Extraction of confidential material protected by the Secure Enclave Processor, up to $100,000.
  • Execution of arbitrary code with kernel privileges—up to $50,000
  • Unauthorized access to iCloud account data on Apple servers—up to $50,000
  • Access from a sandboxed process to user data outside of that sandbox—up to $25,000.

Also, if security researchers want to donate their bounty to charity, Apple, at their discretion, may match the donation.

It’ll be interesting to see how this program works out. iOS is already very secure, but we know Apple has ongoing plans to increase security further, and the bug bounty program may just help.

P.S. Help support us and independent media here: Buy us a beer, Buy us a coffee, or use our Amazon link to shop.