Apple Announces Security Bounty Program

Russell Brandon, reporting for The Verge:

The new program will begin as invite-only, including only a few
dozen researchers. Still, Apple says the program will become more
open as it grows, and if a non-member approaches Apple with a
significant bug, they’ll be invited into the program to work it
through. The invite system is unusual for a bounty program, but
Apple explained it as necessary to weed out spurious submissions
and make sure trusted researchers had adequate support from the
company.

For now, the new program is also limited to five distinct
categories of bugs. The most valuable category — worth up to
$200,000 — is vulnerabilities that compromise the secure boot
firmware components, cutting at the heart of Apple’s hardware
protections. Notably, those vulnerabilities are also particularly
useful for jailbreaks. Smaller rewards are available for the
extraction of data from the Secure Enclave, extraction of
arbitrary code, escaping a sandboxed process, and obtaining
unauthorized access to iCloud account data.

The bounty program was announced by Apple head of security engineering, Ivan Krstic, during his presentation today at Black Hat in Las Vegas. Both the bounty program and the mere fact that Krstic was speaking at Black Hat are signs of Apple’s thawing relationship with the security industry.

Read more at Daring Fireball