Apple’s cautious foray into the wild and wooly world of bug bounties has proved there is more than one way to run a program. Organizations unsure about setting up a bug bounty program should take a look at Apple’s model.
At the Black Hat conference in Las Vegas last week, Ivan Krstic, Apple’s head of security engineering and architecture, announced the company will pay rewards of up to $200,000 for five classes of bugs in iOS and iCloud. Apple will pay $100,000 to researchers who can extract confidential data from the iOS Secure Enclave Processor, $50,000 to researchers who report code execution flaws that provide kernel privileges or unauthorized access to iCloud account information, and $25,000 to researchers with vulnerabilities that allow a sandboxed process to ‘break out’ and gain access to user data outside the sandbox. The $200,000 maximum reward is reserved for vulnerabilities and proof-of-concept code in the company’s secure boot firmware.
To read this article in full or to leave a comment, please click here