Apple to launch Bug Bounty program, will pay up to $200,000 to hackers, cryptographers and researchers depending on bugs found

Ok, this is pretty neat.

Yesterday at the Black Hat conference, an annual event designed for the global InfoSec community, Apple’s head of security engineering Ivan Krstic announced the launch of a bug bounty program that will see Apple paying money to individuals who discover major bugs and security flaws in the company’s software.

Many major technology companies like Google and Microsoft offer bug bounty programs to encourage people to discover and report major vulnerabilities, but until now, Apple has declined to provide a similar program.

The new program is part of an effort to open Apple’s software up to hackers, researchers and cryptographers who want to improve upon it and Apple will be offering up to $200,000 to researchers depending on the bug discovered. Secure boot firmware components will earn $200,000 at the high end, while smaller vulnerabilities, like access from a sandboxed process to user data outside of the sandbox, will earn $25,000.

The reward will be determined based on several factors: the clarity of the vulnerability report; the novelty of the problem and the likelihood of user exposure; and the degree of user interaction necessary to exploit the vulnerability.

Apple has stated that it plans to launch the bug bounty program come December. To be eligible for a reward as part of the program, researchers will need to provide proof-of-concept on the latest versions of iOS and the company’s newest hardware. Apple will also encourage researchers to donate their earnings to charity and will match all bug bounty donations.

The program will be invite only for the time being, limited to a few dozen researchers. Apple plans to make it more open as it grows, and if a non-member discovers a significant bug, they’ll be invited to the program.

Stay tuned for additional details as they become available.

Via MacRumors and TechCrunch