Apple new bug bounty program offers up to $200K for vulnerabilities



Apple will begin offering rewards of up to $ 200,000 to hackers who report information about security flaws in the software company. Thus, the iPhone maker joins other large technology companies in the so-called “rewards for errors” people who discover vulnerabilities in their computer code. The goal is to encourage individuals to report failures for the company to fix the problem, and at the same time discourage hackers to exploit the flaw or sell the information to third parties.

When a computer security expert researcher discovers a vulnerability in a software or an online service usually you have two choices: sell his find on the black market to criminal organizations that exploit the flaw to create malware or exploit or reveal the company concerned bug no spread it publicly, so that the leak can be closed with a patch or an upgrade.

To give researchers a reason to prefer ethically better way most technology companies and some government agencies have activated in time initiatives of “bug bounty”: that is, offer prize money, depending on the severity of the flaw variables, exchange of revelation exclusively of bugs. Google, Microsoft, Facebook, Twitter, but also Fiat Chrysler and the US Department of Defense provide plans of this type.

Apple has never believed in this type of solution, either for reasons of corporate culture linked to the cult of secrecy, or because no legal reward can never be higher than what they are willing to pay the creators of malware and spyware – or intelligence – for a vulnerability in a product of Apple.

And ‘why the new “bug bounty” program that the Cupertino company announced yesterday at the Black Hat conference in Las Vegas surprised the community of security experts.

Ivan Krstic, head of Apple’s Security Engineering Division, outlined the plan, which will start from September and will include especially rich payments, explaining that the rewards will come up to $ 200,000 to highly dangerous vulnerabilities that relate to the safe boot process of the devices.
The company will pay up to $ 100,000 for bugs which allow to violate the safe enclave of iOS devices and up to $ 50,000 to anyone who could pierce the iCloud servers, always subject to proof of concept.

The figures show the maximum possible payment, but the rewards will be calculated individually, depending on the severity of the flaw and other technical factors.

Apple’s bug bounty program, unlike those offered by other major companies in Silicon Valley, will not be open to everyone, but it will include a system initially by invitation to encourage researchers who in the past have already revealed bugs and flaws then resolved by ‘ company. The purpose is to limit the initial participation to avoid that the social engineers lose sight of the most important flaws in the tide of little relevant messages. Cupertino also wants to encourage donations to nonprofit organizations and stated that it will double the portion of the reward that developers will decide to donate to charity.

Follow us on Twitter, subscribe to our Facebook Page, find us on LinkedIn