Finally, Apple Bug Bounty Program launched.
Since Bug bounties have long been a cybersecurity staple for big software makers, internet companies and other heavy-duty users of computers, including Microsoft, Yahoo, Chrysler and United Airlines. Last month, for instance, Google said that in the last year it had paid $550,000 in total to people who had discovered vulnerabilities in its Android software. In February, Facebook said that since 2011, its bug bounty program has handed over $4.3 million to more than 800 researchers worldwide.
Well, for now, Apple is intentionally keeping the scope of its bug bounty program small by launching the program as invitation-only that will be open only to limited security researchers who have previously made valuable bug disclosures to Apple.
The company will slowly expand the bug bounty program.
Launching in September, the program will offer bounties for a small range of iOS and iCloud flaws.
So finally, Apple will pay you for your efforts of finding bugs in its products.
On Thursday, when the head of Apple security, Ivan Krstic, said the company will pay bug bounties -- up to $200,000 -- to researchers who find and report vulnerabilities in specific Apple software.
"We are pleased to announce an Apple security bounty program," Krstic said during a talk at the Black Hat cybersecurity conference in Las Vegas. He also offered technical details on Apple's approach to safeguarding user data.
Apple said that if hackers donated their rewards to charity, it would match their donation. “We want to reward the people, and frankly the creativity it takes to find bugs in these categories,” said Ivan Krstic, Apple’s head of security engineering and architecture.
For six years, nearly every company in Silicon Valley has been rewarding hackers who turn over bugs — a term for flaws that can make a product vulnerable to intrusion — in their systems, with cash. The hope is that the money will be an incentive to keep those flaws out of the hands of organized groups or spy agencies willing to pay big money to learn about them.
But Apple had stayed away from the practice. Instead, it had credited anyone who turned over bugs by putting their names on its website — a far cry from the tens of thousands of dollars, and in some cases hundreds of thousands of dollars, companies like Google and Facebook were willing to pay.
The lack of an Apple bug bounty program made headlines earlier this year when the F.B.I. announced that it had paid hackers more than $1 million for a backdoor into Apple’s iPhone.
The government is estimated to have paid less than $1 million for the hacking technique, but the exact figure hasn't been revealed.
Maybe if Apple had been paying bounties for major flaws, it could have avoided that scenario, said Rich Mogull, CEO of cybersecurity research company Securosis. But when it comes to really valuable tools for hacking the company's products, he said, "Apple's not going to be able to out-pay the government or some Russian mafioso who can pay $1 million."
The payouts will depend on where the flaw is found, and the program won't initially be open to just any old hacker, Apple said. When it launches in September, the program will include a few dozen security researchers the iPhone maker has previously worked with. But if a researcher outside that group finds a high-value flaw, Apple said, it will consider paying him or her as well.
"It's not meant to be any kind of exclusive club," Krstic said.
0 comments:
Post a Comment