Rich Mogull on Apple’s Security Bounty Program

Rich Mogull:

A bug bounty program, like any corporate program, should be about achieving specific objectives. In some situations finding as many bugs as possible makes sense, but not always, and certainly not necessarily for a company like Apple.

Apple’s program sets clear objectives. Find exploitable bugs in key areas they consider a priority. Since proving exploitability with a repeatable proof of concept is far more labor intensive than merely finding a vulnerability, pay the researchers a fair value for their work. In the process, learn how to tune a bug bounty program and derive the most value out of it. High quality exploits discovered and engineered by researchers and developers Apple believes have the skills and motivations they feel will most help advance product security.

It’s the Apple way. Focus on quality, not quantity. Start carefully, on their own schedule, and iterate over time. If you know Apple, this is no different than how they release manage nearly all of their products and services.


Sources at Apple mentioned that if someone outside the program discovered an exploit in one of these classes, they could then be added to the program. It isn’t completely closed.

I was told the same thing.

Thursday, 4 August 2016