Apple Inc. (NASDAQ: AAPL) plans to offer big cash rewards to security researchers who can help find critical vulnerabilities in its products.
Some technology companies such as Facebook (NASDAQ: FB), Google, and Microsoft have vulnerability reward programs for years, which encourage the security research community to report any vulnerability they can find.
Apple is offering a reward of as much as $200,000
Ivan Krstic, the head of engineering and architecture at Apple announced the company’s bug bounty program during the Black Hat Conference in Las Vegas on Thursday.
The Cupertino-based tech giant’s reward will be up to $200,000 for some security flaws that will be discovered and reported. The amount is one of the biggest bounties offered for finding security flaws to date.
During the conference, Krstic said “We’ve had great help from researchers like you in improving iOS security all along. Feedback that we’ve heard pretty consistently both from my team at Apple and also from researchers directly is that it’s getting increasingly more difficult to find some of those most critical types of security vulnerabilities
Apple Bounty Security Program will be invite-only
He added, “The Apple Security Bounty Program will reward researchers who actually share critical vulnerabilities” with the company. The iPhone maker will launch the program in September.
The program will be initially limited to around two dozen of researchers, who will be invited to held discover security vulnerabilities in five categories. The tech giant is offering the highest rewards for bugs that will be uncovered in its secure boot firmware components, which prevent unauthorized programs from launching when an iOS device is turned on.
Apple decided to launch the program as invite-only as the advice of other companies that already have bounty programs in place. The tech giant said it would gradually open the program over time
The iPhone maker’s decision to limit the participation of security researchers to its bounty program would prevent it from dealing with a flood of reports about “low value” vulnerabilities, according to Security analyst Rich Mogull.
“Fully open programs can definitely take a lot of resources to manage,” he said as quoted by Reuters.