Apple to finally offer bug bounties

Google does it. Facebook does it. Microsoft does it. Now Apple will do it, too.

Starting in September, Apple will pay bounties to people who discover security flaws in its products, Ivan Krstic, the company’s head of security engineering and architecture, announced Thursday at the Black Hat security conference in Las Vegas. But it won’t be your average tech company’s bug bounty program — at least not at first — because it will be open only to some researchers who are previously known to Apple.

Also, it may be late to the party, but it knows how to make an entrance. Apple’s bounties are larger than what other companies are offering: They range from $25,000 to up to $200,000 for critical vulnerabilities found in its firmware. The bounty for finding a way into iCloud data (you might remember the leak of nude celebrity photos) is up to $50,000.

Apple had to finally make this move, especially after its high-profile fight with the FBI over unlocking the iPhone of one of the San Bernardino shooters. That battle ended with the FBI paying a third party to unlock the phone, which of course raised security concerns about the iPhone.

“We’re fortunate that we’ve earned trust from our customers, but we realize that that’s something we have to keep earning,” Krstic reportedly said at Black Hat.

Paying bounties could improve security in a few ways, including that those who discover vulnerabilities would have an incentive to share their findings directly with Apple and keep quiet about them to give Apple time to fix them before they’re made public.

As for other tech companies’ bounties, Yahoo used to offer a T-shirt until it got shamed into paying cold, hard cash.

Last year, Google paid $2 million in bug bounties, reporting earlier this year that it has rewarded $6 million in bug bounties since 2010. Also, it announced in June that its year-old Android bug bounty program has paid $550,000 so far.

Facebook earlier this year paid $10,000 to a 10-year-old boy for finding a bug in Instagram. Uber in March announced a bounty program that pays up to $10,000.

What had Apple done? It had put the names of bug finders on its website.

 

Photo: Screen shot from the website for Apple’s iCloud service.

 

Tags: , , , ,

 

Share this Post



 
 
 
  • FresnoUser

    If they didn’t put ‘bugs’ in there to begin with, they wouldn’t have to pay any bounties. Hire better programmers.

 
 
css.php