Apple is planning to launch its first-ever, invite-only bug bounty programme, offering hackers and security researchers up to $200,000 to find vulnerabilities in iOS and iCloud. Set to launch in September, the programme was announced by Ivan Krstić, head of Apple Security Engineering and Architecture, at the Black Hat conference on 4 August and is the first of its kind for the Cupertino company.
In an effort to bolster their security against increasingly sophisticated cyberattacks and patch flaws within their digital infrastructure, many tech giants have started bug bounty programmes in recent years to find holes before they are potentially exploited and wreak havoc.
While Google, Microsoft, Yahoo, Facebook and Twitter have already had existing bounty programmes for years, the Department of Defence, Uber and Chrysler launched their own programmes this year. Relying on their own internal security team, criticism and pressure have continued to mount for the company to employ a similar programme, given that it was one of the few major tech giants without one.
Apple's announcement also comes just months after its much-publicised battle with the FBI over access to the San Bernardino shooter's iPhone. The federal government eventually dropped the case against Apple on 28 March after announcing that it paid an unknown individual nearly $1m to break into the phone.
Krstić, however, reportedly did not comment on whether there was a link between the FBI case and Apple's decision to launch the programme.
"I'm an engineer, I'm happy to answer technical questions about what I've covered today," he said, USA Today reports.
Apple's new invitation-only bug bounty programme will only be open to security researchers who have previously found and reported valuable vulnerabilities to the company. However, Mashable reports that responsible feedback and vulnerability reports from "someone not associated with an invited organisation" will also be welcome and may prompt a formal invitation into the programme.
According to Mashable, the programme includes five categories of issues with varied bounties for each:
- Vulnerabilities in secure boot firmware components: Up to $200,000
- Vulnerabilities that allow for extraction of confidential material protected by the Secure Enclave Processor: Up to $100,000
- Vulnerabilities that give unauthorized access to iCloud account data on Apple servers: Up to $50,000
- Vulnerabilities that allow for access to sandboxed processes to user data outside of the sandbox: Up to $25,000
- Executions of arbitrary code with kernel privileges: Up to $50,000
"It should surprise no one that Apple is writing their own playbook for bug bounties," Securosis CEO and iOS security analyst Rich Mogull wrote in a blog post. "Both bigger, with the largest potential payout I'm aware of, and smaller, focusing on a specific set of vulnerabilities with, for now, a limited number of researchers."
In May, Twitter reported that its own bug bounty programme received 5,171 reports over two years and paid out a total of $322,420 to researchers. In January, Google revealed that it doled out over $6m since its bug bounty programme's launch back in 2010 and paid over 300 security researchers more than $2m last year. Facebook, on the other hand, revealed that it paid more than $4.3m to over 800 researchers since its programme's launch five years ago.
Facebook recently awarded a 10-year-old Finnish boy a whopping $10,000 for discovering an Instagram glitch that allowed him to force delete users comments and captions.