Apple’s Bug Bounty Program: Rewards Of Upto $200,000 Announced In Invite-Only Program Starting September

Apple Inc. plans to start offering rewards of up to $200,000 in a new bug bounty program, the company announced at the Black Hat conference Thursday. The tech giant will pay researchers who find critical vulnerabilities or security bugs in its products.

A number of tech firms already reward those who can detect problems with their software. Apple was one of the few companies that did not offer any reward to them.

“It’s getting increasingly difficult to find some of those most critical types of security vulnerabilities,” said Ivan Krstic, Apple’s head of security engineering and architecture, at the security conference in Las Vegas. “The Apple security-bounty program is going to reward researchers who actually share critical vulnerabilities with Apple.”

Initially, the program will be limited to around two dozen verified researchers invited by Apple to help identify bugs in five specific categories, Reuters reported. The researchers were chosen from amongst the experts that have helped Apple identify bugs in the past, without any compensation.

The limited scope comes at the advice of companies that have launched bounty programs on their security in the past. According to Apple, these companies said they would start the program by inviting a small list of researchers to join before gradually opening it up over time, if they had a chance for a do-over.

The highest reward is for bugs in Apple’s “secure boot” firmware that prevents unauthorized programs from opening when the company’s device is started.

“We believe that these payment amounts are commensurate with the level of difficulty in attacking some of these systems,” Krstic said.

The Federal Bureau of Investigation paid more than $1 million for a tool to get past the security measures on the San Bernardino shooter Syed Rizwan Farook’s iPhone 5S, showcasing how a hacker can gain control of a device through such vulnerabilities.

This year Uber, Fiat Chrysler, and the Department of Defense have also launched similar programs. Companies like Google, Microsoft and Facebook already have bounty programs in place.

While Microsoft has handed out $1.5 million in rewards to security researchers, Google reportedly paid out more than $2 million last year, most commonly for vulnerabilities in Android. In March this year, Facebook paid a 10-year-old boy in Finland $10,000 after he found a way to delete user comments from the company-owned Instagram accounts.

Apple’s program is set to kick off in September.