While many tech companies started their bug bounty programs years ago, Apple held out till now. Today, Ivan Krstic the head of security engineering and architecture at Apple announced at Black Hat that Apple will now be giving 200,000 US dollars cash to anyone who discovers loopholes in its security systems.
This news comes as Apple has started to reduce the secrecy of its security architecture and give chance to hackers, researchers and cryptographers who have plans to help Apple improve its security. This is the first time in four years that Apple is speaking at Black Hat and Krstic’s lecture on the security features of HomeKit, AutoUnlock, and iCloud Keychain, is a big leap for Apple in terms of talking about its security systems.
Some analysts gave reasons for Apple’s late entry into the bug bounty program as its rough past relationship with security researchers, higher bids by governments and black markets such as rumors that the FBI paid close to a million dollars to hack San Bernandinho terrorist Syed Farouk’s iphone. The reward is unlikely to be tempting to hackers interested in monetary rewards but to those who want to make a positive impact. The program will be launched in September and will have five categories of rewards namely:
- Vulnerabilities in secure boot firmware components: Up to $200,000
- Vulnerabilities that allow extraction of confidential material from Secure Enclave: Up to $100,000
- Executions of arbitrary or malicious code with kernel privileges: Up to $50,000
- Access to iCloud account data on Apple servers: Up to $50,000
- Access from a sandboxed process to user data outside the sandbox: Up to $25,000
Apple also plans to convince winners to donate their earnings to charity. Apple will double the reward if the earnings are to be donated to an Apple approved charity.