Apple has announced that it is to launch its first official 'bug bounty' programme, offering payouts of up to $200,000 for security vulnerabilities found in its hardware and software products.
Joining the likes of Google and Microsoft, Apple's first formal bug bounty programme was announced during the Black Hat conference late last week. According to SC Magazine
, in attendance at the event, the company's programme will have tiered payouts depending on the severity of the flaw discovered and exactly which products or services are affected: critical flaws in the Secure Boot portion of Apple's Extensible Firmware Interface (EFI) will be eligible for up to $200,000 per flaw, while flaws in the Secure Enclave Processor of its mobile devices are worth $100,000. Other targeted areas include arbitrary code execution on devices, remote iCloud access without authorisation, and any and all means of breaking out of an operating system's sandbox.
The move marks the first time Apple has officially stated it will pay for security vulnerabilities. Previously, all reports to the company were made without the promise of financial recompense, and if the company has made payments to researchers as a result is has done so under the radar. Its new bounty programme, though, is designed to encourage researchers to dig deeper into the security of Apple products - and, more importantly, disclose any problems directly to Apple rather than trying to make a fast buck on the black market or via grey-hat vulnerability purchasing programmes - in an effort to improve their security for all users.
The programme will launch initially by invitation only, with researchers who have previously disclosed vulnerabilities to the company being picked for early access. The company then plans to extend coverage to anyone submitting serious vulnerabilities - though being outside the invitation list brings with it the risk Apple will consider your submission unworthy of payment.