As part of a security presentation given at this year's Black Hat conference, Apple today announced that it would be starting up a bug bounty program in the fall. The program will reward security researchers who uncover vulnerabilities in Apple's products and bring them to the company's attention. Google, Microsoft, Facebook, and many other companies have offered bug bounty programs for some time now, but this is Apple's first.
For now, Apple is intentionally keeping the scope of the program small. It will initially be accepting bug reports from a small group of a few dozen security researchers it has worked with in the past. For now, bounties are only being offered for a small range of iDevice and iCloud bugs. The full list is as follows:
- Secure boot firmware components: Up to $200,000.
- Extraction of confidential material protected by the Secure Enclave: Up to $100,000.
- Execution of arbitrary code with kernel privileges: Up to $50,000.
- Access from a sandboxed process to user data outside of that sandbox: Up to $25,000.
- Unauthorized access to iCloud account data on Apple servers: Up to $50,000.
As the program continues and Apple works the, um, bugs out of its processes, the company will expand the list of eligible security researchers as well as the list of hardware and software bugs for which bounties are offered.