The Verge writes:
Apple is planning a new bug bounty program that will offer cash in exchange for undiscovered vulnerabilities in its products, the company announced onstage at the Black Hat conference today. Launching in September, the program will offer cash rewards for working exploits that target the latest version of iOS or the most recent generation of hardware. It’s the first time Apple has explicitly offered cash in exchange for those vulnerabilities, although the company has long maintained a tip line for disclosing security issues.
Ivan Krstic, Apple’s head of security engineering and architecture, made the announcement during a presentation at Black Hat on Thursday.
The top reward comes for finding flaws in vulnerabilities in Apple’s “secure boot” process, which if broken could seriously compromise security.
As Hacker News reports, for now Apple’s bug bounty program is invite-only – meaning that the only people likely to be ushered in are those who have a track record in finding exploitable flaws in the company’s code. Hopefully things will loosen up over time, and from the sound of things they are open to adding others who come forward after finding critical vulnerabilities in key areas.
Frankly, an Apple bug bounty is long overdue.
Apple was looking incongruous in not offering a reward for security researchers who uncovered critical vulnerabilities in its products. After all, if you were a vendor you would rather have those who find security vulnerabilities in your products work with you rather than selling off their exploits to a third-party, wouldn’t you?
With a bug bounty in place, serious exploitable vulnerabilities are more likely to be responsibly disclosed to Apple, and users are more likely to be protected in a timely fashion.
Good.