Apple announces invite-only bug bounty program at Black Hat 2016News Desk
At Black Hat 2016, a popular annual computer security conference, Apple announced that it would soon begin paying hackers and researchers who privately disclose security flaws in the company's products. ZDnet notes that Apple will pay up to $200,000 for serious security vulnerabilities, like secure boot firmware components, found in select Apple products as part of its debut bug bounty.
Apple's head of security Ivan Krstic made the announcement during his session at Black Hat, titled 'Behind the Scenes of iOS Security'. He noted that with over a billion active devices and in-depth security protections spanning every layer from 'silicon to software', Apple works to advance the state of the art in mobile security with every release of iOS. He then went on to discuss three iOS security mechanisms in technical detail, offering the first public discussion of one of them new to iOS 10.
Ivan observed that HomeKit, Auto Unlock and iCloud Keychain are three Apple technologies that handle exceptionally sensitive user data – controlling devices in the user's home, the ability to unlock a user's Mac from an Apple Watch, and the user's passwords and credit card information, respectively. So he discussed the cryptographic design and implementation of Apple's secure synchronization fabric which moves confidential data between devices without exposing it to Apple, while affording the user the ability to recover data in case of device loss. He also noted that traditional browser-based vulnerabilities are becoming harder to exploit due to increasingly sophisticated mitigation techniques.
The complete breakdown of the bug bounty program is as follows-
ZDnet points out that other major companies like Amazon and Microsoft and prominent startups like Uber and Airbnb have had bug bounty programs for many years and have been paying ethical hackers who find holes in their products and services.
Apple had so far only been acknowledging and crediting hackers and researchers for their work, without rewarding them financially. Many saw this as a sign of corporate arrogance. ZDnet noted that it was Apple's fight with the US government earlier this year, about unlocking the phone of a San Bernardino shooter, that laid the groundwork for rewarding researchers for their work.