Apple announced that it will be expanding the scope of its bug bounty program and increasing its maximum possible reward payout to $1 million.
Ivan Krstić, Apple’s head of security engineering, made the announcement during a presentation on iOS and macOS security at Black Hat USA 2019. He revealed that Apple’s bug bounty program will begin recognizing vulnerabilities affecting macOS, tvOS and watchOS later this year. This decision will effectively expand the scope of the program, a framework which the tech giant originally unveiled at Black Hat USA back in 2016, beyond its original iOS-only purview.
As part of this announcement, Krstić stated that the tech giant would increases its highest bug bounty payout from $200,000 to $1 million for a hack of kernel on the iPhone without any user interaction. He went on to reveal that Apple would award $500,000 for a network attack with no user interaction as well as a 50 percent bonus for researchers who discover flaws in software prior to release, reported Forbes.
Krstić also announced that the tech giant will will give out several “dev” iPhones to vetted security researchers who are participating in the bug bounty programs. These devices will enable those individuals to access an iPhone’s underlying software and operating system in greater depth than they can on a consumer device. In so doing, these iPhones will enable researchers to uncover iOS security vulnerabilities that are harder to find.
Patrick Wardle, principal security researcher at Jamf, told Forbes in another report that these changes will help both Apple and its users:
If you’re a large, well-resourced company such as Apple, who claims to place a premium on security, having a bug-bounty program is a (Read more...)
*** This is a Security Bloggers Network syndicated blog from The State of Security authored by David Bisson. Read the original post at: https://www.tripwire.com/state-of-security/security-data-protection/apple-increases-maximum-bug-bounty-program-payout-to-1m/