Apple ups top bug bounty reward from $200,000 to $1m for operating system security flaws
The new bug bounty programme will include iOS, macOS, watchOS, iPadOS, tvOS, and iCloud
Apple has increased its maximum bug bounty from $200,000 to $1 million reward in a bid to ensure security researchers turn-in any security flaws they find to Apple - rather than selling them on the grey market.
At the Black Hat security conference in Las Vegas, Nevada on Thursday, Ivan Krstić, Apple's head of security, revealed that the company is updating the rules of its bug bounty programme, adding that the programme will now be open to all security researchers, instead of the current invite-only eligibility.
According to Bloomberg, the new programme will include iOS, as well as MacOS, watchOS, iPadOS, tvOS, and iCloud.
Apple is planning to offer special pre-jailbroken iPhones to trusted, qualified security researchers
Apple first unveiled its bug bounty programme in 2016, offering rewards of up to $200,000 for discovering and reporting issues in iOS devices.
The latest $1 million payouts announced by Apple is by far the biggest reward being offered by any major tech firm for reporting security flaws in products.
The $1 million reward will be offered to bug finders reporting a severe deadly exploit — a zero-click kernel code execution flaw, granting full control of a device's kernel.
Individuals discovering less severe flaws will qualify for smaller rewards, of course, but researchers can receive bonuses of up to 50 per cent for finding bugs in pre-release builds. The new programme will come into effect starting this autumn.
Those interested in Apple's bug bounty program can get more information from the company's support page, which provides detailed instructions for bug disclosure.
Apple is also planning to offer special pre-jailbroken iPhones to trusted, qualified security researchers as part of the iOS Security Research Device Programme. Those devices will be easier to hack than usual iPhones available to end user and will provide access to root shell, ssh, etc.
Such deeper access will enable researchers to find bugs at the secure shell level. Those devices could also allow researchers to stop the processor and examine memory for flaws.
However, in any case, they won't offer the same level of openness as enjoyed by Apple's internal security staff. Any researcher can apply to receive such a special iPhone from Apple, although Apple will distribute only a limited number of such devices to qualifying researchers.
The latest announcement from Apple comes at a time when data breaches are becoming more common in financial and tech industries.
Last month, Capital One revealed that the personal information of 106 million Americans and Canadians was exposed in a data breach that occurred in March and April this year.
Earlier in 2017, nearly 143 million credit records of US citizens were exposed in a massive data breach hitting the credit ratings agency Equifax.