So finally, Apple will pay you for your efforts of finding bugs in its products.
While major technology companies, including
, have launched bug bounty programs over last few years to reward researchers and hackers who report vulnerabilities in their products, Apple remained a holdout.
But, not now.
On Thursday, Apple
at the Black Hat security conference that the company would be launching a bug bounty program starting this fall to pay outside security researchers and white hat hackers privately disclose security flaws in the company’s products.
How much is a vulnerability in Apple software worth? Any Guesses?
It’s up to
Head of Apple security team, Ivan Krstic, said the company plans to offer rewards of up to $200,000 (£152,433) to researchers who report critical security vulnerabilities in certain Apple software.
While that’s certainly a sizable bounty reward — one of the highest rewards offered in corporate bug bounty programs.
The Bug Bounty Program is Invite-Only, for Now
Well, for now, Apple is intentionally keeping the scope of its bug bounty program small by launching the program as invitation-only that will be open only to limited security researchers who have previously made valuable bug disclosures to Apple.
The company will slowly expand the bug bounty program.
Launching in September, the program will offer bounties for a small range of iOS and iCloud flaws.
Here’s the full list of risk and reward:
- Flaws in secure boot firmware components: Up to $200,000 (~£150,000).
- Flaws that could allow extraction of confidential data protected by the Secure Enclave: Up to $100,000.
- Vulnerabilities that allow executions of malicious or arbitrary code with kernel privileges: Up to $50,000.
- Flaws that grant unauthorized access to iCloud account data on Apple servers (remember celebrity photo leak?): Up to $50,000.
- Access from a sandboxed process to user data outside of that sandbox: Up to $25,000.
For the eligibility of a reward, researchers will need to provide a proof-of-concept (POC) on the latest iOS and hardware with the clarity of the bug report, the novelty of the bounty problem and the possibility of user exposure, and the degree of user interaction necessary to exploit the flaw.
Decision Comes in the Wake of the FBI Scandal
Earlier this year, Apple fought a much-publicized
over a court order to access the locked San Bernardino shooter’s iPhone.
When the FBI forced Apple to unlock the shooter’s iPhone, it refused, eventually making the bureau hire professional hackers to
Perhaps the company is trying to eliminate these lucrative backdoors into its software to make its
that even the company can not crack them.
from The Hacker News http://ift.tt/2aCAs91