Ivan Krstic, Apple head of Security Engineering and Architecture, announced during his presentation at the 2016 Black Hat Conference that Apple plans on launching its first-ever bug bounty program. Apple will pay up to $200,000 USD to researchers who discover and report iOS and iCloud bugs and security vulnerabilities. Apple is also offering successful researchers the option to donate bug bounty payments to charity which, at the company’s discretion, the company will match donations. Apple’s upcoming bug bounty program will initially be invite only with a select group of researchers providing reports on discovered bugs and security vulnerabilities.
Apple has categorized iOS and iCloud bugs and security vulnerabilities included in the program into five specific categories although the company may consider paying for other critical vulnerabilities. The highest paying category is “secure boot firmware components” which pays up to $200,000 USD. Researchers will need to report in detail the bugs and security vulnerabilities they discover and bounties will be based on a number of factors such as severity, how the bug or vulnerability is triggered, and how well the researcher describes the flaw.
Apple is lagging behind when it comes to bug bounty programs as numerous technology companies including Facebook, Google, Microsoft, and Uber have been offering bug bounties for quite some time now. A great many companies have benefitted from their bug bounty programs providing financial and other types of incentives for white hat hackers to help improve the security of devices and applications.
Apple plans on launching its new invite-only bug bounty program in September. Apple is starting out small with its bug bounty program; however, the program may be open to a greater number of participants in the future.