Earn up to $200,000 as Apple *finally* launches a bug bounty

Graham Cluley

Cluley 250 thumb

The Verge writes:

Apple is planning a new bug bounty program that will offer cash in exchange for undiscovered vulnerabilities in its products, the company announced onstage at the Black Hat conference today. Launching in September, the program will offer cash rewards for working exploits that target the latest version of iOS or the most recent generation of hardware. It’s the first time Apple has explicitly offered cash in exchange for those vulnerabilities, although the company has long maintained a tip line for disclosing security issues.

Ivan Krstic, Apple’s head of security engineering and architecture, made the announcement during a presentation at Black Hat on Thursday.

The top reward comes for finding flaws in vulnerabilities in Apple’s “secure boot” process, which if broken could seriously compromise security.

As Hacker News reports, for now Apple’s bug bounty program is invite-only – meaning that the only people likely to be ushered in are those who have a track record in finding exploitable flaws in the company’s code. Hopefully things will loosen up over time, and from the sound of things they are open to adding others who come forward after finding critical vulnerabilities in key areas.

Frankly, an Apple bug bounty is long overdue.

Apple was looking incongruous in not offering a reward for security researchers who uncovered critical vulnerabilities in its products. After all, if you were a vendor you would rather have those who find security vulnerabilities in your products work with you rather than selling off their exploits to a third-party, wouldn’t you?

With a bug bounty in place, serious exploitable vulnerabilities are more likely to be responsibly disclosed to Apple, and users are more likely to be protected in a timely fashion.

Good.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.
Never miss a thing. Sign up for the free GCHQ newsletter from Graham Cluley.
GET EMAIL UPDATES