Apple Bounty Program
Taking a page from the playbook of a number of other high-profile companies, Apple intends to implement a bounty program to enlist the aid of third parties in tracking down and eliminating bugs in their software. Recently, The Verge reported that Apple would, at last, join the ranks of the other tech giants currently offering cash-for-bugs and that the program would take off sometime in September. Though the company has long maintained a tip line, this would be the first time they are explicitly sanctioning money in exchange for sniffing out exploits in their hardware and software.
To date, their internal security teams have been vigilant in catching potential issues, but recent developments – like last year’s San Bernardino shooter fiasco – may have prompted the tech company to revise their policies.
So, what is known about the program so far? Apple unveiled the plan at the Black Hat Cyber Security Conference in Las Vegas. It’s an invite-only deal, limited to a few dozen individuals to start. The program is intended to grow, however, meaning there will be a possibility for even more people to get involved. Apple has also stated that uninitiated individuals that approach them with a major bug that was previously unknown will be invited into the fold to continue their work. You might note that most bounty programs don’t have the invite requirement, but Apple has stated that is was “necessary” to filter through the deluge of less than reputable submissions they would receive.
The program is currently targeting five varieties of bugs, the most significant of which includes “vulnerabilities that compromise the secure boot firmware components.” Apple is obviously investing a great deal into this, offering bounties of up to $200,000 for finds in this area. This ties into Apple’s recent crackdown on jailbreaking, which the company is constantly warning consumers about. The smaller cash rewards are aimed at a variety of data extraction and unauthorized iCloud access exploits.
The response to the program thus far? Fortune reports that Exodus Intelligence, an Austin based firm, is offering double the cash for the same exploits. They reportedly plan to stockpile and sell these secrets for a subscription fee. A genius business plan if ever there were one. It could also potentially undercut Apple’s efforts to stay on top of things and a step ahead of jailbreakers and other assorted app hackers, as the reward being offered by Exodus far exceeds their own. It will be interesting to see how all this plays out in the coming months, with the release of iOS 10 right around the corner.