Apple launches bug reporting rewards program

Apple has set up its own bug bounty program. The manufacturer will pay for vulnerabilities found in its software. The amount depends on the severity of the vulnerability, with a maximum of $ 200,000.

The rewards program, which TechCrunch writes about, will start in September and participants will initially only be able to participate by invitation. Anyone who finds a critical vulnerability can be invited to the program. This was announced by Ivan Krstic, a security engineer at Apple, during a session at Black Hat 2016.

Apple uses different categories for reported vulnerabilities. The company pays up to $200,000 for bugging ‘Secure boot firmware components’. Extracting sensitive data from the Secure Enclave Processor of Apple devices is rewarded with a maximum of $100,000. The ability to run arbitrary code with elevated kernel privileges and unauthorized access to iCloud accounts could lead to a $50,000 payout.

When considering the amount the reporter will receive, the clarity of the report, the likelihood that user data is at stake and the amount of action that needs to be taken to exploit the leak all play a role. Apple pledges to double the size of funds donated to charity.

Apple is relatively late with a special rewards program for reporting vulnerabilities. Large internet and software companies such as Google and Facebook have had this for some time. The traditionally closed company seems to have become more open, as evidenced by the increasing number of open source projects from Apple. At the same time, there have been some security incidents related to Apple services in recent years, such as with Messages and Siri.

Image courtesy of Jay Freeman.