While its competitors already have invited hackers to find bugs in their software in return for cash, Apple has long held out.
The quarrel went that it can’t offer the same level of prize as the black market or government, and has an in-house security team anyway, so why bother?
That thinking looks to have changed. Ivan Krstic, Apple’s head of security engineering, announced the change at the annual Black Hat conference for the IT security industry. The ‘bug bounty’ program will launch this month with five tiers of reward, ranging from $25,000 to $200,000 for weaknesses in secure boot process components.
The computer kind, not the creepy crawly kind at present, the program is invitation-only. To be entitled for a reward, researchers must submit evidence of concept using the most recent iOS and Apple hardware.
Apple will encourage people to donate their prize to charity, pledging to match any donation that goes to a charitable cause. Alex Rice, co-founder of bug bounty program HackerOne, says Apple will benefit from its own program:
“There isn’t a company yet who has launched a bug bounty program and has not recognized new vulnerabilities that they didn’t know about yet”.
In an effort to make Mac and iOS software as water tight as possible, Apple’s finally welcoming the bug searchers.