Denys Rudyi - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Apple starting its own bug bounty program with big rewards

Apple will be starting a bug bounty program for researchers who find critical vulnerabilities in iOS or iCloud and offer big rewards.

Las Vegas -- Apple hasn't often used the "one more thing" trick in a speech since Steve Jobs died, but it pulled it out at Black Hat 2016 to announce the Apple Security Bounty program.

Ivan Krstić, head of security engineering and architecture at Apple, said the company was going to begin offering rewards now because of how hard Apple has made it to find critical vulnerabilities.

"What we've heard consistently both from my team at Apple and also from researchers directly is that it's getting increasingly more difficult to find some of the most critical types of security vulnerabilities," Krstić said. "So, the Apple Security Bounty program is going to reward researchers who actually share critical vulnerabilities with Apple and we're going to make it a top priority to resolve these issues as quickly as possible."

Apple's bug bounty program will offer five categories of rewards -- three for critical vulnerabilities found in iOS, one for unauthorized access to iCloud data on Apple servers and one for access from a sandboxed process to user data outside the sandbox.

The rewards max out at $200,000 for a flaw in the iOS secure boot firmware components and up to $100,000 for extracting confidential material from the Secure Enclave processor, up to $50,000 for execution of arbitrary code with kernel privileges or unauthorized iCloud access, and up to $25,000 for accessing user data from within a sandboxed process.

"We believe that these payment amounts are commensurate with the difficulty in hacking some of these systems," Krstić said, adding that donations could be doubled if researchers choose to donate it to charity. "And, I mention these are all maximum payments. The exact payment amount will be determined after we on the engineering team review the actual report that is submitted."

Apple will provide public recognition for the researcher, unless otherwise asked, and said rewards will depend on factors like the impact to users.

The bug bounty program will go live in September and will feature an invitation system. Apple will invite a few dozen researchers to participate in the program at first, but will open up the program so if an outside researcher submits a critical vulnerability deemed worthy of a reward, they will receive that reward and also be asked to join the program. 

Next Steps

Learn more about why some companies are initiating invitation-only bug bounty programs.

Find out about some of the risks associated with setting up a bug bounty program.

Get more information on the Department of Defense's "Hack the Pentagon" bug bounty program.

Dig Deeper on Penetration testing, ethical hacking and vulnerability assessments