Apple announces Security Bounty Program with huge cash rewards, will go live in September

Following the likes of Google, Microsoft, Uber, and so many other tech companies, Apple has unveiled its plans to offer a bug bounty program that will pay thousands of dollars to those who find security vulnerabilities in the software.

Announced at the Black Hat Conference, Apple’s head of security engineering Ivan Krstic said the new Security Bounty program will go live in September. The program will be invite-only to approximately 12 researchers at launch but then rolled out to others as the initiative progresses. However, if someone finds a significant bug Apple will invite them into the program.


As for the reward, Apple has broken them down into five categories of risk and reward:

  • Secure boot firmware components: Up to $200,000 (USD)
  • Extraction of confidential material from Secure Enclave: Up to $100,000 (USD)
  • Executions of arbitrary code with kernel privileges: Up to $50,000(USD)
  • Unauthorized access to iCloud account data on Apple servers: Up to $50,000(USD)
  • Access from a sandboxed process to user data outside the sandbox: Up to $20,000 (USD)

Apple notes in order to score the cash researchers must provide a provide proof-of-concept on the latest version of iOS. In addition, Apple is also putting a twist on the reward, specifically asking researchers to donate the sum of money to a charity of their choice and Apple will match the donation amount.

[source] TechCrunch, Twitter [/source]