Apple introduces a reward program for identifying vulnerabilities in their products.

Many companies operating in the IT field offer rewards to those users who were able to detect any dangerous bugs in the products of these companies. Over the past five years, bug bounty programs have entered dozens, if not hundreds of companies. It is more profitable for them to resort to crowdsourcing, paying a certain amount for the vulnerability found by a third-party specialist, rather than skip the problem and pay for data leakage and compromise of their servers. In this case, the losses can be huge.

All these years, Apple has refused to pay rewards to users who found vulnerabilities in their products and reported a problem. Today everything has changed. Ivan Krstic, head of security engineering and architecture, Apple announced its own bug bounty Apple program at the Black Hat conference. The maximum amount of remuneration for professionals who report vulnerabilities will be $ 200,000.


The program will be launched from September. At first, the remuneration will be paid only to specialists with whom the corporation has already worked. Krstic explained this by the fact that in the case of launching a program for all, the company would simply be overwhelmed with information about a variety of problems, both obvious and false. In this information flow, you can skip the really important message. In the future, Apple will work with all information security specialists who want to cooperate.
')
Krstić is the first Apple representative to speak at a Black Hat conference in four years. Usually, a corporation provided any details related to the security of its products and services at its own conference of WWDC.

$ 200,000 is a fairly large amount, with a number of companies remunerating much less. But this is not a record. The FBI paid a million US dollars for breaking into the phone the "arrow from San Bernardino" .

Previously, Apple's own employees searched for vulnerabilities But after a series of reports from the information security department of the corporation, the management decided to use the services of third-party specialists. According to Krstic, over time, it is becoming increasingly difficult for its own employees to look for vulnerability.

The program offers several categories of vulnerabilities for which reward is awarded:

• Vulnerabilities in secure boot components: up to $ 200,000;
• Vulnerability to extract confidential information from the Secure Enclave: up to $ 100,000;
• Execution of arbitrary or malicious code with kernel privileges: up to $ 50,000;
• Access to iCloud account data on Apple servers: up to $ 50,000;
• Access from the sandbox to user data outside the sandbox: up to $ 25,000.

The report on the problem found will be evaluated according to several criteria, including the clarity of the description of the problem, its novelty, and the criticality of the vulnerability.