$200,000 for Fixing a Bug in Apple's Products?
Apple announced late last week that it will be launching a bounty program that will offer cash in return for undiscovered security flaws in its products. The program will launch in September and will be invite only to begin. This is the first time Apple has run a program paying for security tips, but the company has been known to pay in the past.
Apple is the latest of several large tech firms to start a bounty program. As the program gets off its feet, Apple plans to keep it invite only for the time being. However, Apple did say the program would become more available in the future, and if someone came forward with a significant bug they would be invited to join the team. The company did stress the importance of keeping the group small to begin, and the process to apply for the group shows it.
The program will focus on five main bugs. These five areas and their respective payouts are listed below. Apple did say that payouts will vary depending on a number of variables. Apple also stated that if a reporter decides to give their payout to a charity approved by the company, Apple will match the donation.
1. Access from a sandboxed process to user data outside of that sandbox: $25,000
2. Unauthorized access to iCloud account data on Apple Servers: $50,000
3. Execution of arbitrary code w/kernel privs: $50,000
4. Extraction of confidential material protected by the Secure Enclave Processor: $100,000
5. Secure boot firmware: $200,000
Any reporter will have to jump through a number of hoops to prove that all of Apple’s guidelines were followed because Apple will only pay for bugs found on the latest hardware and software. With the program launching in the fall, don’t expect to hear much in the news before then. Once Apple green lights their bounties don’t be surprised if you hear a story or two of high payouts for bugs in their hardware or software.