Apple Announces Security Bounty Program

Russell Brandon, reporting for The Verge:

The new program will begin as invite-only, including only a few dozen researchers. Still, Apple says the program will become more open as it grows, and if a non-member approaches Apple with a significant bug, they’ll be invited into the program to work it through. The invite system is unusual for a bounty program, but Apple explained it as necessary to weed out spurious submissions and make sure trusted researchers had adequate support from the company.

For now, the new program is also limited to five distinct categories of bugs. The most valuable category — worth up to $200,000 — is vulnerabilities that compromise the secure boot firmware components, cutting at the heart of Apple’s hardware protections. Notably, those vulnerabilities are also particularly useful for jailbreaks. Smaller rewards are available for the extraction of data from the Secure Enclave, extraction of arbitrary code, escaping a sandboxed process, and obtaining unauthorized access to iCloud account data.

The bounty program was announced by Apple head of security engineering, Ivan Krstic, during his presentation today at Black Hat in Las Vegas. Both the bounty program and the mere fact that Krstic was speaking at Black Hat are signs of Apple’s thawing relationship with the security industry.

Thursday, 4 August 2016