For a long while, Apple was seemingly the only top Silicon Valley company that didn’t make use of ‘bug bounty’ programs.
Whereas companies like Google, Microsoft and Facebook routinely doled out monetary awards to individuals or third-parties who found critical software bugs, Apple curiously remained on the sidelines .
Now, in 2016, Apple has finally decided to join the party.
At the Black Hat Conference in Las Vegas yesterday, Apple’s top security chief Ivan Krstic announced a new bug bounty program where Apple will pay handsome sums to anyone who manages to find and report major vulnerabilities in its software.
For now, the bug bounty program will primarily be an invite-only affair as Apple is concerned it might be overwhelmed by an avalanche of reports that might overshadow more serious vulnerabilities. Going forward, though, Apple will slowly open up the program to more people.
The current matrix of Apple’s bug bounty program looks like this:
==> Secure boot firmware components – Max payout of $200,000
==> Extraction of confidential material protected by the Secure Enclave Processor – Max payout of $100,000
==> Execution of arbitrary code with kernel privileges – Max payout of $50,000
==> Unauthorized access to iCloud account data on Apple servers – Max payout of $50,000
==> Access from a sandboxed process to user data outside of that sandbox – Max payout of $50,000
You’ll note that each successful bounty has a maximum payout as opposed to a guaranteed payout. Per TechCrunch , the final payout amount will be “based on several factors: the clarity of the vulnerability report; the novelty of the problem and the likelihood of user exposure; and the degree of user interaction necessary to exploit the vulnerability.”
Lastly, and in a very Apple-y move, recipients of an Apple bug bounty will have the option to hand over their winnings to charity, in which case Apple will match their donation 100%.
0 comments:
Post a Comment