Pierluigi Paganini August 05, 2016

Apple has chosen the Black Hat 2016 security conference to announce the launch of its bug bounty program, hackers can earn up to $200,000 for a flaw.

Great news for bug hunters, finally Apple announced that it will pay hackers that will find bugs in its products. Apple is the last IT giant to launch its bug bounty program. Major IT firm, including Facebook, Google, and Microsoft have already launched a similar initiative over last years to reward with a great success.

Apple has chosen the Black Hat 2016 security conference to announce the launch of the bug bounty program. The announcement was made by Ivan Krstić, head of security engineering and architecture at Apple that confirmed the invite to the hacking community to ethically report security vulnerabilities under the bug bounty program.

How much is a vulnerability in Apple product?

The awards are very interesting, bug hunters can earn up to $200,000 for a critical vulnerability affecting the secure boot firmware components, up to $100,000 for a flaw that could be exploit to extract sensitive data protected by the Secure Enclave, up to $50,000 for arbitrary code execution with kernel privileges and unauthorized access to iCloud account data, and up to $25,000 for access from a sandboxed process to user data outside the sandbox.

Apple’s bug bounty program will be launched in September, the IT giant will accept a submission only if it will include a working proof-of-concept (PoC).

But I appreciated also another opportunity that Apple will give to the hackers, if they will donate the reward to a charity, Apple could match the amount.

The bad news is that the bug bounty program will be open only to groups of researchers invited by Apple. The company intends to invite only a limited number of security experts who have previously ethically reported bugs to Apple, but the IT giant will slowly expand its bug bounty program.

In a first phase, the program will be focused on vulnerabilities in iOS and iCloud products.

The experts speculate that the decision of launching a bug bounty program is the response of the company to the battle with the FBI for the case of the San Bernardino shooter’s iPhone.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Apple bug bounty program, Hacking)