Apple has announced it will pay up to $200,000 to researchers who find security bugs in its software and devices. It will initially be invite only.
The news came at a rare appearance by an Apple representative, security head Ivan Krstic, at the Black Hat conference. The payouts will include maximums of:
- $25,000 for bugs that breach sandboxing;
- $50,000 for bugs that breach iCloud data held on Apple servers;
- $100,000 for bugs that breach the Secure Enclave Processor (which houses Touch ID data); and
- $200,000 for bugs that breach boot firmware.
There’ll also be an option to donate the cash to charity, in which case Apple will double the money.
The payments will only be made after researchers provide full details to Apple. That’s designed to win over people who currently do just enough work to be able to go public and claim hacker prestige points, but then lack much incentive to fully explore the bug.
However, it’s widely acknowledged that the bounties won’t be enough for people who are solely looking to get cash from their discoveries, who will likely always find a bigger payout from people with a more dubious interest in breaching Apple security.
Initially only a select group of researchers who’ve previously disclosed bugs to Apple will be eligible for payouts, though others may be brought on board if they find something particularly significant. That setup is designed to avoid the program being flooded by reports from people who’ve found more minor bugs.