Image: File photo
Apple will soon begin paying hackers and researchers who privately disclose security flaws in the company’s products.
The technology giant will pay up to $200,000 for serious security vulnerabilities, like secure boot firmware components, found in select Apple products as part of its debut bug bounty — double the top reward offered by Google. That’s a major step from what Apple’s security recognition looks like today, which for all intents and purposes gives hackers little more than a gold star for quietly informing the company of security flaws.
Apple’s head of security, Ivan Krstic, made the announcement during his talk at Black Hat, the annual global gathering of security professionals.
The long-awaited move comes as other major companies have for years embraced bug bounties, in which they pay those who find holes in their products and services.
Almost every major tech company, including Amazon and Microsoft, have programs that financially reward hackers for privately reporting serious flaws. Even prominent startups, like Airbnb and Uber, have bug bounty systems. Google paid out over $550,000 in bug bounties in the last year alone.
But it was Apple’s fight with the US government earlier this year that laid the groundwork for rewarding researchers for their work.
When the FBI pushed Apple to rewrite the software for an iPhone that belonged to one of the San Bernardino shooters in the hope of bypassing its encryption, Apple refused on the grounds that though it wasn’t an impossible task, it was nonetheless morally indefensible. The FBI later hired professional hackers to break into the device — supposedly paying out more than $1 million for their services.
By merely crediting researchers for their work, many saw it as corporate arrogance at its finest.
As The New York Times put it earlier this year, a lack of a bug bounty at the time likely pushed hackers and security researchers to work against the company and instead turn their flaw-finding efforts toward whoever will pay.
Why would hackers give Apple a freebie, when they could easily sell their exploit on the black market, or get even more from the feds? Some do it for the love of security, and others do it for the money.
But a bug bounty now, after the FBI ruckus, may be too little, too late.
It won’t be every day that the government will fling open its doors to anyone who can figure out how to break into an iPhone, but with San Bernardino, the precedent is already set.
The majority who submit their flaws and exploits will do it for the greater good of making the technology stronger. But if the government can outnumber the reward by more than five-fold, it’s a tempting offer many middle-ground “grey-hat” hackers might opt to take.
Apple’s bug bounty is incentivizing enough to draw in those who might otherwise be tempted to sell their findings for more nefarious purposes.
But should there ever — heaven forbid — be a San Bernardino “round two”, a company’s bug bounty may seem low-fry when the government ups its bids.