Image via @lorenzofb
Apple debuted its bug bounty program back in 2016, offering security researchers up to $200,000 USD to find iOS security flaws. The program has since lagged behind other companies and today Apple announced significant changes, which should help benefit its users.
According to TechCrunch, Apple made the announcements at the Black Hat conference in Las Vegas, Nevada, today. The bug bounty program will now pay for exploits found on macOS, tvOS and watchOS, joining iOS.
Essentially, if you find a security vulnerability and report it to Apple and the company fixes it, you’ll get paid.
Apple head of security engineering and architecture Ivan Kristic announced the new program, expected to fix flaws on Mac, Apple TV and Apple Watch, joining iPhone and iPad.
Patrick Wardle, the principle security researcher at Jamf, told TechCrunch this was a win for Apple users.
“Granted, they hired many incredible talented researchers and security professionals — but still never really had a transparent mutually beneficial relationship with external independent researchers,” said Wardle.
Apple also explained the bug bounty program will expand to all researchers later this year, while the bounty payout per exploit will increase five-fold to $1 million USD from $200,000. This huge payout would be only for exploits where hackers would be able to gain control of a user’s phone just by obtaining their phone number.
Here’s Apple’s payouts for bug bounties and their corresponding categories.
Maximum payout is now 1 million. pic.twitter.com/S2y25AScLa
— Lorenzo FB @ Black Hat (@lorenzofb) August 8, 2019
For researchers who find an exploit in beta versions of Apple’s software and reported before a final release, they can also qualify for a 50% bonus payout within the designated vulnerability category.