Apple is ready to pay hackers a big bounty for bugs


iOS 10
Apple needs help squashing bugs.
Photo: Ste Smith/Cult of Mac

Apple’s head of security and engineering architecture, Ivan Kritic, revealed yesterday that the iPhone maker is finally creating a bug bounty program that will offer rewards of up to $200,000 to security researchers who find vulnerabilities on the company’s various software platforms.

The news came during a keynote at the annual Black Hat Conference in Las Vegas where Kritic also gave attendees a behind-the-scenes look at iOS 10 security as part of Apple’s effort to become more open about its architecture in hopes of improving it.

Not just anyone will be able to score Apple’s $200,000 bounty though. The new program will be invite-only to researchers who have disclosed a bug to Apple in the past. TechCrunch reports that Apple consulted with other companies on their bug programs and decided that opening it up to the public would flood the company with reports, many of which would likely be garbage.

The program is set to launch in September with five payouts:

  • Vulnerabilities in secure boot firmware components: up to $200,000
  • Vulnerabilities that allow extraction of confidential material from Secure Enclave: up to $100,000
  • Executions of arbitrary or malicious code with kernel privileges: up to $50,000
  • Access to iCloud account data on Apple servers: up to $50,000
  • Access from a sandboxed process to user data outside the sandbox: up to $25,000

Apple is encouraging researchers to donate their bounty to charity by promising to double the amount of earnings giving to approved institutions.


Daily round-ups or a weekly refresher, straight from Cult of Mac to your inbox.

  • The Weekender

    The week's best Apple news, reviews and how-tos from Cult of Mac, every Saturday morning. Our readers say: "Thank you guys for always posting cool stuff" -- Vaughn Nevins. "Very informative" -- Kenly Xavier.