At the Black Hat Conference in Las Vegas last week, Apple introduced its first bug bounty program. Whereas Apple has historically relied upon security researchers and hackers to discover and report critical security exploits out of the goodness of their hearts, Apple finally wised up and realized that it might want to include some sort of financial incentive for those who have a knack for discovering important security flaws.
As laid out by Apple’s top security chief Ivan Krstic, Apple will pay out as much as $200,000 to individuals or teams who unearth serious software vulnerabilities. As we detailed last week, Apple’s newly christened bug bounty program looks like this.
• Secure boot firmware components – Max payout of $200,000
• Extraction of confidential material protected by the Secure Enclave Processor – Max payout of $100,000
• Execution of arbitrary code with kernel privileges – Max payout of $50,000
• Unauthorized access to iCloud account data on Apple servers – Max payout of $50,000
• Access from a sandboxed process to user data outside of that sandbox – Max payout of $50,000
While it’s nice to see Apple follow the lead of other tech companies and offer monetary rewards for reported bugs, Apple may have a tough time keeping up with black hat companies who are more than willing to dole out a lot more cash for, more often than not, iOS-based security exploits.
As highlighted by 9to5Mac earlier today, a company called Exodux Intelligence is offering varying amounts of cash for a wide variety of hacks. With respect to iOS in particular, the company is offering up as much as $500,000 “for a zero-day vulnerability in iOS 9.3+.”
It’s fair to say that Apple will not get into a bidding war for security vulnerabilities, and to be fair, Apple’s payout of $200,000 is hardly a figure to scoff at. All the same, perhaps individuals who uncover a vulnerability might still be inclined to officially disclose it to Apple as that might yield them a little bit more of the spotlight.