CNET reported on Friday that the head of Apple security, Ivan Krstic, has said the company will pay bug bounties -- up to $200,000 -- to researchers who find and report vulnerabilities in specific Apple software.
The Apple security bounty program joins many others. Bug bounties have long been a cybersecurity staple for big software makers, Internet companies and other heavy-duty users of computers, including Microsoft, Yahoo, Chrysler and United Airlines. Last month, for instance, Google said in the last year it had paid $550,000 in total to people who had discovered vulnerabilities in its Android software. In February, Facebook said that since 2011, its bug bounty program has handed over $4.3 million to more than 800 researchers worldwide. Wow – that's not pocket change.
Not everyone tells Apple what they've found, instead selling information on how to break into Apple systems to governments or hacking organizations. It's possible the new bug bounty will encourage researchers to tell Apple first. It took a while for Apple to accept that logic, but I'm glad to see that the company is there now.
The payouts will depend on where the flaw is found, and the program won't initially be open to everyone. When it launches in September, the program will include a few dozen security researchers Apple has previously worked with. But if a researcher outside that group finds a high-value flaw, Apple said, it will consider paying him or her as well.
And they darn well should. A closed club (which the company says this is not but it sounds suspiciously like one at the outset) will not provide the benefits that an open club would.
E-mail: email@example.com Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology