Until now, Apple has resisted calls to offer a bug bounty program like many other companies ranging from AT&T to Tesla Motors to Zynga. However, an Apple executive has revealed that the company plans to offer cash awards to a select group of security researchers who can identify vulnerabilities in key application areas.
The company plans to award bounties of $25,000 to $200,000 to unnamed researchers who will be invited to prove exploits in specific types of Apple software, Ivan Krstic (pictured above), head of Apple security engineering and architecture, said yesterday during his presentation about iOS security at the Black Hat security conference in Las Vegas. Set to begin in September, the bug bounty program will focus on areas affecting Apple’s iCloud or iOS systems.
As a number of observers have noted, Krstic’s announcement is unusual because Apple typically reveals big program news at its own Worldwide Developer Conference (WWDC) (the most recent one was held in June) rather than at other venues. However, news of its bug bounty program isn’t necessarily surprising in light of the iPhone security faceoff it had with the U.S. Federal Bureau of Investigation earlier this year, as well as the company’s recent moves to open up some of its code to app developers.
Evolving Security Landscape
Following a mass shooting in San Bernardino, Calif., in December of 2015, the FBI obtained a court order to compel Apple to create new code so the agency could unlock an iPhone used by one of the shooters. Apple fought the order, arguing that such action could leave its systems less secure for users in general, and the FBI eventually withdrew its court request after paying $1 million to an unnamed third party that was able to bypass the iPhone’s security.
In the aftermath of that legal skirmish,…