Skip to main content

Apple plays catch-up with a bug bounty program coming in September

apple store logo
cchana/Flickr
Google, Facebook, and Microsoft all have had bug bounty programs for quite some time. Hackers and security enthusiasts work to find bugs and exploits, and in return they receive large cash prizes. While Apple has been willing to accept vulnerability disclosures, it has never explicitly offered cash awards for them. Not anymore.

Announced at the Black Hat conference, Apple will unveil a program in September that will offer a cash reward for people who discover exploits and vulnerabilities in its suite of products, according to TechCrunch. The program will focus on Apple’s most recent products, meaning iOS 10 and the new devices rumored to launch in the fall.

Offering a cash reward is a popular method of squashing bugs and closing loopholes in software and hardware these days. It’s so popular, the Department of Defense launched a “Hack the Pentagon” program with a $150,000 bounty budget. Google recently said it’s increasing its bug bounty for Android up to 50 percent above what it currently offers.

The bugs have been sorted into five categories: exploits in secure boot firmware components; extracting data from Secure Enclave; executing arbitrary or malicious code with kernel privileges; access to iCloud account data on Apple servers; and access from a sandboxed process to user data outside the sandbox.

The rewards range between $200,000 and $20,000. In an unusual move, Apple will encourage people who receive rewards to donate them to charity, and the Cupertino company will match donations to approved institutions.

Apple’s move may have been a direct consequence of the San Bernardino shootings in December 2015. The shooter left behind a locked iPhone, and while Apple initially aided the investigation, the Cupertino company refused a court order that demanded backdoor access into the iPhone. This prompted an encryption battle between the U.S. Department of Justice and the Cupertino company, which eventually led to the FBI purchasing a method to hack the iPhone from third-party hackers.

The program will start as invitation-only so as to eliminate a flood of fake submissions, but if a party discloses an important bug to Apple they will be invited into the program.

Julian Chokkattu
Former Digital Trends Contributor
Julian is the mobile and wearables editor at Digital Trends, covering smartphones, fitness trackers, smartwatches, and more…
iPhone 13 and new iPads hit by Apple Music bug
iPhone 13 front and back

Getting one of the new iPhones or iPads? Then watch out -- if you restore the device from a backup, Apple says you might have trouble using Apple Music.

The issue affects all of the new iPhone 13 models, as well as the new iPad (9th generation) and iPad Mini (6th generation). Older devices are not affected.

Read more
Google lead says he’s ‘disappointed’ with Apple’s new iPhone security program
iPhone 11 Pro feature image

Apple’s new hacker-friendly iPhones offer security researchers unrestricted access to devices so that they can easily hunt down vulnerabilities and bugs. But Ben Hawkes, technical lead at Project Zero, a team at Google tasked with discovering security flaws, says he’s “pretty disappointed” with Apple’s latest security program.

Hawkes, in a Twitter thread, said that its team won’t be able to take advantage of Apple’s “Security Research Device” (SRD) iPhones since it appears to exclude security groups that have a policy to publish their findings in three months.

Read more
Sony’s revamped PlayStation bug bounty program offers cash rewards
Two people play a soccer game on PS4

Sony is inviting one and all to hunt down bugs on its PlayStation platform for some potentially big cash payouts.

The entertainment giant has actually had a bug bounty program in place for some time, but operated it privately with select researchers. This week’s announcement means the program is now open to everyone, including “the security research community, gamers, and anyone else,” Geoff Norton, Sony’s senior director of software engineering, wrote in a blog post about the expansion.

Read more