Apple seeks better product disclosure with the launching of its new bug bounty program. The company announced the initiative yesterday at the Black Hat security conference in Las Vegas after a history of reluctance to enable external researchers to find flaws in Apple’s iPhones and other software.
The program will start by allowing only a few selected exploit experts to join with an invitation-only system, and eventually, it will give rewards to any submitter that finds a significant vulnerability within Apple´s latest hardware and iOS.
Public bug bounty programs have proven to be effective over time. But in some cases, the downsides for such practice can be dangerous, according to CEO of information security firm Securosis, Rich Mogull.
Apple’s bug bounty is scheduled to begin in September and hand payouts up to $200,000.
The more sensitive the bug, the higher the bounty
The bug bounty program’s first phase consists of five categories involving major exploits, such as data extraction of arbitrary code or the Secure Enclave – valued at $50,000 and $100,000 each.
Unauthorized access to iCloud account data ($50,000), escaping a sandbox process ($25,000), and any vulnerabilities that could affect the secure boot firmware components, an endeavor that offers the $200,000 reward.
Apple has also announced that bounties would double if submitters donate their rewards to charity.
Apple will not let anybody mess up with its software
The program’s invitation-only system comes as a rare requirement for this sort of practice. But Apple made clear that any researcher can be involved.
“IT´S NOT MEANT TO BE AN EXCLUSIVE CLUB,” said the Head of Apple Security Engineering and Architecture, Ivan Krstic.
The company explained that this measure would help to rule out any dubious submissions that might not be usable to fix bugs, ensuring that the reports come from experts and potential members.
With the increasing popularity of bug bounty programs thanks to its adoption by major companies like Google, Facebook, and Uber, Apple has finally given into this initiative.
Though the tech giant counts with a security team to deal with its flaws, bug bounty programs come as an alternative way to guarantee responsible disclosure.
Source: The Verge