Finally, Apple is starting a bug bounty program. The company is late to the growing trend of this type of initiative, which offers rewards to researchers who discover and submit security vulnerabilities for companies to preemptively patch. But Ivan Krstic, Apple’s head of security engineering and architecture, announced at Black Hat on Thursday that the company will launch an incentive structure in September.
And in fact, by offering up to $200,000 for some discoveries, it seems to be the highest corporate bounty ever.
Pressure for Apple to do this has been mounting for months. In the fallout from its battle with the FBI, for example, Apple took flack from some in the security community. They speculated that the FBI had only ultimately been able to find a third party to exploit iPhone security because Apple had no incentive in place to encourage researchers to share that information directly with Apple.
Apple got the message. “We’ve had great help from researchers like you in improving iOS security all along,” Krstic told the crowd at Black hat. “Feedback that we’ve heard pretty consistently both from my team at Apple and also from researchers directly is that it’s getting increasingly more difficult to find some of those most critical types of security vulnerabilities. So the Apple Security Bounty Program is going to reward researchers who actually share critical vulnerabilities with Apple.”
At the high end, the program will pay out up to $200,000 for vulnerabilities found in Apple’s secure boot firmware components—the fundamental first protection that keeps your devices safe. To get this much, researchers would have to find vulnerabilities in the “secure boot” mode of the software that coordinates all functions. A malicious hacker exploiting such a vulnerability could cause real harm,hence the large number. To …