Apple recently launched a bug bounty program that can pay you a lot of money for finding flaws in Apple software and hardware.
The program pays people up to $200,000 for finding iOS and iCloud bugs.
The bounty program is starting off small but will slowly expand over time.
The news was announced at this year’s Black Hat conference, where Apple stated that they were launching a bug bounty program in the fall. The program is designed to reward security researchers who uncover vulnerabilities in Apple’s products and bring them to the company’s attention.
Bug bounty programs can be found in many other tech companies. Google, Microsoft, and Facebook regularly make headlines for paying out big money to independent security researchers.
Only Accepting Reports from a Few Dozen Security Researchers
Right now, the bug bounty program through Apple is small. The company is only accepting reports from a few dozen security researchers. Apple has worked with each of these researchers in the past. However, Apple will expand the program in the future so that anyone can submit flaws.
Apple is also limiting the types of bugs that can be identified. They’re only accepting bug reports for iDevice and iCloud problems. Here’s what the list looks like, as reported by ArsTechnica:
- Secure boot firmware components: Up to $200,000
- Extraction of confidential material protected by the Secure Enclave: Up to $100,000.
- Execution of arbitrary code with kernel privileges: Up to $50,000.
- Access from a sandboxed process to user data outside of that sandbox: Up to $25,000.
- Unauthorized access to iCloud account data on Apple servers: Up to $50,000.
To claim a bounty, you’ll need to submit a report to Apple with a working proof-of-concept exploit. The exploit needs to work on the latest stable version of iOS. Bugs can be hardware or software related.
After you discover a bug, researchers are asked to keep the news quiet until Apple offers an official release.
Researchers also have the opportunity to donate their bounty to charity (with a matching donation from Apple).
Apple Wants to Deter Hackers from Selling Exploits Online
Bug bounty programs are a win-win solution. Security researchers aren’t tempted to sell their exploits on the black market – like in November of 2015, when Zerodium paid a $1 million bounty for a browser-based jailbreaking exploit. Meanwhile, Apple gets a network of independent researchers probing their software for flaws.
Apple’s bounty program doesn’t pay out quite as well as other programs in the past – which is odd considering the amount of cash the company has. Nevertheless, as the program expands, we could see greater amounts being given out.