Apple offers hackers up to $200k to find bugs in its systems
Apple is finally catching up to the practices of other Silicon Valley giants by offering a bounty system to encourage third-party security experts to find security loopholes in its systems.
Ivan Krstic, head of Apple Security Engineering and Architecture, announced last week during the Black Hat cybersecurity conference in Las Vegas, Nevada that company is paying anywhere from $25,000 to $200,000 to researchers who can find and report previously unknown vulnerabilities, depending on the type of weaknesses they find.
The bounty will launch in September and will be invite-only, but the list of eligible hackers will expand as the program matures. The scope of it is also starting off small, only covering mobile iOS devices or iCloud.
Putting out bounties to find security flaws before malicious actors do has been a long-established practice for years at companies such as Uber, Google and Facebook.
However, Apple’s rewards are among the highest in the industry, with Google’s maximum prize being $20,000 and Uber’s being $10,000.
But Apple’s handsome payments are blown out of the water by a third-party security company. Exodus Intelligence is paying security researchers up to $500,000 to find vulnerabilities in Apple’s iOS 9.3 and above, the newest versions.
Before bug bounties became standard practice at companies, hackers would make their own black markets for selling critical vulnerabilities to be used for malicious purposes, rather than being fixed. Most companies have wised up and started incentivizing legitimate individuals, but “zero-day exploits” – an exploit that has been found before it’s fixed by a company – can sell for much more on these black markets than companies offer to help close them.
Apple was recently beaten to the punch by an unexpected actor – the United States Department of Justice (DoJ). The government had requesting that Apple create a backdoor to open the phone of the San Bernardino terrorist who killed 14 people in December. Apple did not abide by the request, citing privacy concerns, but the DoJ contracted a third-party security firm to hack the phone for roughly $1 million.