Image
"We’ve had great help from researchers like you in improving iOS security all along. As the mechanisms we build get stronger, the feedback I’ve gotten from my team is that it’s getting increasingly difficult to find those vulnerabilities. The Apple bounty program will reward researchers who share critical vulnerabilities with Apple and we will make it a top priority to resolve those and provide public recognition."At the outset, the program will only be open to two dozen security researchers who have reported vulnerabilities in Apple's software in the past. In time, it will expand to include additional bug bounty hunters. All the while, Apple will reward researchers based upon what types of vulnerabilities they disclose to the company. For instance, the tech giant said it will pay up to USD 25,000 for flaws that could allow an actor to gain access from a sandboxed process to user data outside of that sandbox, while it will dish out as much as USD 100,000 to those who can extract data protected by Apple's Secure Enclave technology. For reporting vulnerabilities in its firmware, Apple will potentially pay out USD 200,000. But that won't be easy, according to Krstic:
"The difficulty in finding most of the critical vulnerabilities is going up and up as we invest in new security technology and mechanisms. The difficulty is such that we want to reward people for their time and creativity they put in to finding bugs in these categories."Apple's bug bounty program is set to kick off in September 2016. News of this announcement follows (and is perhaps motivated by) the FBI's commissioning of hackers to break into the iPhone 5C of one of the San Bernardino shooters.
