It is not uncommon for technology companies to enlist the help of outside sources for security. One way this occurs is through a bug bounty program, where a company offers (usually financial) rewards to individuals who discover security vulnerabilities or other flaws within their products. But the biggest technology company of them all has been absent from the bug bounty sweepstakes. That changed when Apple unveiled its bug bounty program at the Black Hat conference.
Apple’s program differs from most others in that it involves invite-only participation and offers up to $200,000 in rewards. So far only 12 unnamed security researchers have been invited to join the program, but the number is expected to grow. Over time, the bug bounty program will invite more researchers in increasing amounts. As Ivan Krstic, head of security engineering and architecture at Apple, stated in the Black Hat reveal speech, “The difficulty in finding most of the critical vulnerabilities is going up and up… we want to reward people for their time and creativity they put in to finding bugs in these categories.”
The reason for the exclusivity and limited number of participants in Apple’s bug bounty most likely arises from the money involved. The money being offered is much more than the industry average for these types of programs. As reported by Dark Reading , the maximum payouts for security boot flaw discovery is $200,000, whereas Secure Enclave Processor bug identification will net the finder $100,000. For identifying vulnerabilities that allow kernel access or iCloud penetration, the reward is $50,000. Finally “any vulnerability that enables access from a sandboxed process to user data outside of the sandbox” will net $10,000.
It should be reiterated that these payments are the highest possible monetary values, not necessarily the actual amounts a researcher will receive. It depends on how valuable the data is to Apple security engineers and how much of a threat the vulnerabilities are.
If security weaknesses and other vulnerabilities are found and fixed, Apple will greatly benefit from the program. Apple is one of the last big technology companies to initiate a bug bounty program. Better late than never.