Apple Launches Bug Bounty Program; Will Pay Up To $200K For Reports

Image courtesy of Adam Fagen

Between iPhones, iPads, Mac computers, and other devices, hundreds of millions of people have sensitive personal information stored on Apple products. In an effort to ensure this info and other data remains secure, Apple has joined the ranks of companies publicly offering bug bounties to hackers who find and alert Apple of security flaws.

Apple unveiled the bug bounty program at the Black Hat security conference on Thursday, saying it will begin offering cash bounties of up to $200,000 to researchers who discover vulnerabilities in its products, Apple Insider reports.

The program, which will officially launch in September, will initially be invitation-only. Exactly who will receive these invitations was unclear, but the company says that non-members who find particularly interesting bugs and report them could find an invitation waiting.

For now, Apple Insider reports the payouts for security issues are relegated to five categories of risk:

• $200,000 for secure boot firmware components
• $100,000 for extraction of confidential material protected by the Secure Enclave Processor
• $50,000 for execution of arbitrary code with kernel privileges
• $50,000 for unauthorized access to iCloud account data on Apple servers
• $25,000 for access from a sandboxed process to user data outside of that sandbox

Apple Insider reports that it appears Apple will expand the risk categories in the future, but the company didn’t say when.

To be eligible for a reward, researchers must provide a proof-of-concept on the latest iOS and hardware.

TechCrunch reports that Apple will determine the exact reward amount based on the clarity of the vulnerability report; the novelty of the problem and the likelihood of user exposure; and the degree of user interaction necessary to exploit the vulnerability.

Researchers who choose not to take a payout, but instead donate it to charity, will see their payment matched one-for-one by Apple.

Apple announces upcoming bug bounty program, initially invite-only [Apple Insider]