Short Bytes: Apple will launch a $200,000 bug bounty program this fall. It will involve reporting of vulnerabilities through proof-of-concept on latest Apple software and hardware. The announcement was made at the Black Hat conference.
Until now, Apple has been ignorant to any offers of possible vulnerabilities in its products and stayed in its shell when it comes to taking outside help for the betterment of its products. Although, the security offered by its products is unmatched (the FBI battle) but they have started to realise the need of a bug bounty program.
The program will consist of five categories:
- Bugs in secure boot firmware components: (up to) $200,000
- Bugs facilitating extraction of confidential material from Secure Enclave: (up to) $100,000
- Executions of arbitrary or malicious code with kernel privileges: (up to) $50,000
- Access to iCloud data on Apple servers: (up to) $50,000
- Access from a sandboxed process to user data outside the sandbox: (up to) $25,000
Apple’s bug bounty program will be implemented in phases. Initially, the vulnerabilities in the iCloud and iDevices like iPhone and iPad will be taken into account. Also, Apple will take the help of the researchers they’ve worked with in the past. New researchers and more products will be considered at later stages. However, if any high-risk vulnerability is put upfront by any new researcher, Apple won’t turn it down.
A proof-of-concept on the latest software version and iDevice hardware will be mandatory to claim the bounty. The cash price amount will depend on the severity of the bug, the ease of exploiting it, and the visibility of the bug, etc.
Apple will motivate the bug bounty winners to donate their reward to the charity and the Cupertino will supplement it with the same amount. Though, it will depend on their mood, of course, how much money they want to shell out.
This is their first attempt of a bug bounty program. And it’s the right time Apple has put their hands in this field. Because, if you don’t pay for your bugs, someone else will. Just like it happen in the case of FBI Vs Apple, where FBI paid $1 billion for getting the shooter’s iPhone 5C unlocked as Apple had refused to do so.
Apple has behaved like a “studious” kid who keeps his study stuff locked all the time so no one can have access to it. But time is changing, the kid should change his habits or he will be left behind in his own world. Taking outside help is not a bad idea, in fact, it’s fruitful because you get to have the support of some of the brilliant minds who are not a part of your company.
Hopefully, their bug bounty program helps in removal of serious vulnerabilities, so that, someone doesn’t pay and get the chance to breach the security of their products.
via Tech Crunch
If you have something to add, tell us in the comments below.