Apple’s head of security and engineering architecture, Ivan Kritic, revealed yesterday that the iPhone maker is finally creating a bug bounty program that will offer rewards of up to $200,000 to security researchers who find vulnerabilities on the company’s various software platforms.
The news came during a keynote at the annual Black Hat Conference in Las Vegas where Kritic also gave attendees a behind-the-scenes look at iOS 10 security as part of Apple’s effort to become more open about its architecture in hopes of improving it.
Not just anyone will be able to score Apple’s $200,000 bounty though. The new program will be invite-only to researchers who have disclosed a bug to Apple in the past. TechCrunch reports that Apple consulted with other companies on their bug programs and decided that opening it up to the public would flood the company with reports, many of which would likely be garbage.
The program is set to launch in September with five payouts:
- Vulnerabilities in secure boot firmware components: up to $200,000
- Vulnerabilities that allow extraction of confidential material from Secure Enclave: up to $100,000
- Executions of arbitrary or malicious code with kernel privileges: up to $50,000
- Access to iCloud account data on Apple servers: up to $50,000
- Access from a sandboxed process to user data outside the sandbox: up to $25,000
Apple is encouraging researchers to donate their bounty to charity by promising to double the amount of earnings giving to approved institutions.