Apple has long maintained a policy of not offering bounties for vulnerabilities found in its software; that has changed. The company broke the news at the Black Hat researcher conference, saying that it is now prepared to reward those who come forward with exploits in its systems.
Cupertino’s refusal to offer bounties were partly due to the higher ups believing that it would not be able to beat the amounts offered by criminals and governments. The black market for exploits is highly lucrative for hackers and cybercriminals. Recently, the US government shelled out some $1 million (about RM4 million) for a method to unlock the iPhone belonging to the San Bernadino shooter.
That being said, the company is now willing to give the bounty idea a try. The value of the bounty varies according to the severity, ranging from $25,000 (about RM100,000) for exploits that provide sandbox access to outsiders; to $200,000 (about RM800,000) for vulnerabilities in secure boot processes.
Apple also requires those claiming the bounty to be researchers who have previously made valuable vulnerability disclosures to the company. In other words, one must have already been working on exploits to help Apple out in the past. This requirement may be temporary, as the company says that it is worried that the bounty programme announcement may open the floodgates and cause Apple’s own team to miss something important.
In an additional twist to the bounty, Apple is encouraging the recipients to donate the money to a charity of their choice. According to the announcement, Cupertino will match the donation. This would effectively double the amount donated.
Opening up like this is highly unusual for Apple, but it looks like the company is acknowledging that it cannot possibly catch all the vulnerabilities in its software alone. The company has placed a larger emphasis on security as of late, and a bug bounty programme is just the next step in securing the Apple eco-system.