Apple has announced this evening it has joined other tech companies in launching a bug bounty program, which pays security researchers when they uncover vulnerabilities in iOS or recent generations of their hardware.
Image via @saurik
According to The Verge:
The new program will begin as invite-only, including only a few dozen researchers. Still, Apple says the program will become more open as it grows, and if a non-member approaches Apple with a significant bug, they’ll be invited into the program to work it through. The invite system is unusual for a bounty program, but Apple explained it as necessary to weed out spurious submissions and make sure trusted researchers had adequate support from the company.
So it’s an invite-only bug bounty program starting in September, but if an exploit is discovered by a non-member, they’ll get in. The program doesn’t include macOS yet.
- Secure boot firmware components—up to $200,000
- Extraction of confidential material protected by the Secure Enclave Processor, up to $100,000.
- Execution of arbitrary code with kernel privileges—up to $50,000
- Unauthorized access to iCloud account data on Apple servers—up to $50,000
- Access from a sandboxed process to user data outside of that sandbox—up to $25,000.
Also, if security researchers want to donate their bounty to charity, Apple, at their discretion, may match the donation.
It’ll be interesting to see how this program works out. iOS is already very secure, but we know Apple has ongoing plans to increase security further, and the bug bounty program may just help.