Apple Launches Its First Bug Bounty Program, But It's Invite-Only For Now


At the Black Hat cybersecurity conference in Las Vegas, Apple unveiled a bug bounty program that will reward security researchers who discover and report vulnerabilities that they discover on the company's products and services.

Apple's bug bounty program will be launching in September, and it is the first time that the company will be explicitly offering cash rewards in exchange for information on vulnerabilities.

Apple is one of the last of the big names in the tech industry to launch a bug bounty program. While major players such as Facebook, Google and Microsoft have had such programs in place for years, Apple has previously relied on its internal security teams and its informal relationships with security researchers, with a tip line maintained for reporting issues.

The program, which was unveiled by Apple security head Ivan Krstic, will pay bounties of up to $200,000 for reported bugs. The aim of the rewards, similar to other bug bounty programs, is to get security researchers to tell Apple any vulnerabilities that they discover, instead of selling off the information to hacking groups or governments.

The decision to finally launch a bug bounty program could be related to the recent legal battle between Apple and the United States Department of Justice. Apple refused to help the government in creating a backdoor for the encryption of the iPhone 5c that was used by one of the shooters in last year's San Bernardino incident, as the workaround could then be used on all other iPhones, risking the security of all Apple device users.

Instead of staying in the courtroom, the government decided to turn to a third-party cybersecurity research group, which was able to utilize a previously unreported issue in the iOS 9. The group was able to crack the encryption of the iPhone 5c, and the government was reported to have paid over $1 million for the hacking tool.

According to cybersecurity research firm Securosis CEO Rich Mogull, Apple could have prevented that scenario from unfolding by launching a bug bounty program earlier. However, he added that the company may not be able to outbid any government or group willing to pay $1 million for a tool to break through Apple's digital defenses.

Still, a bug bounty program could prove to be better than none at all, as more vulnerabilities could be reported to Apple instead of simply floating around, waiting to be discovered and exploited by hackers with bad intentions.

The program, however, is currently invite-only, with only a few dozen security researchers in the fold. Apple said that its bug bounty program will open up more as it grows, and that if any non-member would approach Apple with a significant discovery, the researcher would be immediately invited into the program.

As to why the company decided to require invitations for its bug bounty program, the company said that it is necessary to prevent floods of fake submissions, and to ensure that trusted security researchers will receive the necessary support from Apple.

There are five categories for the bugs that can be reported in the program, with the category offering the highest rewards of up to $200,000 focused on those that compromise Apple's hardware by breaking through secure boot firmware components. These vulnerabilities are the ones that jailbreaks take advantage of.

ⓒ 2018 All rights reserved. Do not reproduce without permission.
Real Time Analytics