Apple is offering cyber security researchers up to $1 million to detect flaws in iPhones, the largest reward offered by a company to defend against hackers.
[Apple new bounty program] comes at a time of rising concern about governments breaking into the mobile devices of dissidents, journalists and human rights advocates.
Unlike other technology providers, Apple previously offered rewards only to invited researchers who tried to find flaws in its phones and cloud backups.
At the annual Black Hat security conference in Las Vegas on Thursday, the company said it would open the process to all researchers, add Mac software and other targets, and offer a range of rewards, called “bounties,” for the most significant findings.
The $1 million prize would apply only to remote access to the iPhone kernel without any action from the phone’s user. Apple’s previous highest bounty was $200,000 for friendly reports of bugs that can then be fixed with software updates and not leave them exposed to criminals or spies.
Apple is taking other steps to make research easier, including offering a modified phone that has some security measures disabled.
MacDailyNews Take: These bounties are much more in line with the going rate for big boy exploits and we’re very happy to see the Mac finally included, too!
Loosen the purse strings, Apple. Extend your bug bounty program to include macOS (and all other operating systems not currently covered). — MacDailyNews, February 6, 2019
About F’ing time Apple. You got the money.
So many people have offered found bugs, zero day and others, to Apple in the past few years. No doubt these people have saved Apple a bundle, especially in the cases of zero-day bugs, but these people have received little more than a simple e-mail thank you, if that.
Wouldn’t it be good PR for Apple to offer, say, ~10% of the newly-announced rates as an ex gratia post facto ‘thank you’ to those who found macOS bugs between the time Apple started offering bounties on iOS until this announcement?
Nah, most people reporting bugs (including the legions of beta testers) aren’t doing so for the money. This, and the dollars involved, are targeted towards folks that are currently making money illicitly… and they ALL now know that the first one that reports the exploit they are all using will 1. Get the money for the bounty and 2. Screw everybody else!
This is a direct shot to some folks who would love to take a nice million dollar payout and stop shuffling their wares on the dark web. While some will certainly keep their secrets to themselves, there are many that would be willing to trade what they know for as little as a few hundred thousand crime free dollars 😉
There is an unfortunate irony in this, in that the good people get no reward, and the bad get the most.