Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

Apple joins the bug bounty party with $200,000 top prize

Cupertino will match bounties if hackers donate them to charity

Black Hat Security researchers can win up to US$200,000 in Apple's new bug bounty program, announced by the company on Thursday at the Black Hat security convention in Las Vegas.

“We’ve had great help from researchers like you and the security mechanisms we build have gotten stronger,” said Apple’s head of security engineering and architecture Ivan Krstić. “The feedback that we’ve heard pretty consistently both from my red team and Apple and also directly is that it’s getting more difficult to find some of the most critical types of security vulnerabilities.”

The program will be invite-only initially, Krstić told the crowd, with a “few dozen” researchers participating. However, if a researcher turns up an interesting bug and provides a full report and a proof of concept that is accepted by Apple engineers then they will get a payout.

To get the maximum payout you’ll need to provide a flaw in the secure boot firmware that so irritated the FBI, while a crack that can extract confidential data protected by a phone or tablet’s secure enclave processor (SEP) will yield a prize of up to $100,000.

If you can execute arbitrary code with kernel privileges on iOS the maximum award of $50,000, with the same sum available to anyone who gets unauthorized access to iCloud account data on Apple’s servers. There’s also $25,000 up for grabs if you can get access from a sandboxed process to user data outside that sandbox.

Krstić said that Apple engineers will examine reported flaws to determine their value before a payout. But if the developer chooses to give the money to charity instead of taking it themselves then Apple will match the donation dollar for dollar.

Bug bounty programs are widely used but Apple hasn’t previously joined in, despite protests from developers. At the event, it was clear the audience approved of the change of heart as the announcement was greeted with warm applause.

The Register asked Krstić if this new focus on recruiting security smarts was in any way related to its recent run-in with the FBI and the storm that brewed when Cupertino refused to play ball with the Feds.

“I’m an engineer,” he replied. “I’m happy to answer technical questions on what I’ve covered today.” Then he shut up. ®

Similar topics

TIP US OFF

Send us news


Other stories you might like