If you want the good stuff, you’ve got to pay for it.
Apple has introduced an expanded bug bounty program that covers macOS, tvOS, iCloud, and iOS over at the Black Hat hacker conference in Las Vegas and hosted by head of security engineering Ivan Krstić. The company first introduced its bug bounty program for iOS devices in August of 2016, allowing security researchers who locate bugs in iOS to receive a cash payout for disclosing the vulnerability to Apple.
The change also follows an incident in which the company’s lack of a bug bounty program earlier this year prompted a German teenager to refuse to hand over details of a major macOS Keychain security flaw given that Apple didn’t have a payout plan in place. While the teenager eventually handed over the details of the hack, he said that he hoped his refusal would inspire Apple to expand its bug bounty program, which the company has indeed done.
The updated bug bounty program has Apple increasing the maximum size of the bounty from $200,000 per exploit to $1 million depending on the nature of the security flaw. A zero-click kernel code execution with persistence will earn the maximum amount.
Researchers who discover vulnerabilities in pre-release software before general release can qualify for up to a 50 percent bonus payout on top of the base bug bounty amount.
Apple has also begun providing vetted and trusted security researchers with “dev” iPhones, or specialized iPhones that offer deeper access to the underlying software and operating system that will make it easier for vulnerabilities to be discovered.
Apple is providing these iPhones as part of its new iOS Security Research Device Program, launching next year. Apple’s aim with these new bug bounty efforts is to encourage additional security researchers to disclose vulnerabilities, ultimately leading to more secure devices for consumers.
Stay tuned for additional details as they become available.
Via MacRumors