On Thursday, August 4, Apple announced at the Black Hat cyber security conference in Las Vegas its first ever security bounty program.
According to Apple Insider, the new initiative of the maker of iPads and iPhones will pay out cash for previously undiscovered hardware and software vulnerabilities. The Verge reports that Apple's bug bounty program will go live in September.
When the program will become operational, security researchers will be able to get bounties or cash rewards for probing Apple's latest products for weaknesses and handing over working exploits.
Many other industry organizations as well as smaller companies have already implemented their own bug bounty incentives. Such rewards are currently offered by dozen of companies, including Facebook Inc, Microsoft Corp, AT&T Inc, Google, Yahoo Inc and Tesla Motors Inc. Apple is among the last major consumer electronics brands that decided to move away toward public incentives from its previous internal testing policies and procedures.
Business Insider reports that researchers who find critical security bugs in Apple products will receive rewards of up to $200,000. Apple's security bounty program includes some of the biggest bounties offered to date.
Initially, Apple's program will be limited to around two dozen researchers. They will be invited by the high-tech company to help identify hard-to-uncover security bugs. The focus of the program will spread on five specific categories.
Apple has chosen the researchers who will participate in its bug bounty program from the group of experts who have previously helped Apple identify bugs without being compensated for that work. The category that will offer the biggest rewards is the one searching for bugs in Apple's "secure boot" firmware. When an iOS device is powered up, the firmware aims to prevent unauthorized programs from launching.
Apple explained that at the advice of other companies that have launched previously similar programs, it decided to limit the scope of the program. The high-tech company will start by inviting a small list of researchers to join and open the security bounty program gradually over time.