Apple announced the new program during the Black Hat cybersecurity conference when the head of Apple security, Ivan Krstic, took the stage. Kristic said the company would pay bug bounties -- up to $200,000 -- to researchers who find and report vulnerabilities in specific Apple software. Don't set your sights on a big paid day just yet though. Like all things Apple does they are keeping very tight control on the program.
For now, Apple is limiting the program to about two dozen researchers who Apple will selectively invite to help identify hard-to-uncover security bugs in five specific categories. The high dollar bounties are only being offered for a small range of iDevice and iCloud bugs. The full list is as follows:
- Secure boot firmware components: Up to $200,000 (~£150,000)
- Extraction of confidential material protected by the Secure Enclave: Up to $100,000.
- Execution of arbitrary code with kernel privileges: Up to $50,000.
- Access from a sandboxed process to user data outside of that sandbox: Up to $25,000.
- Unauthorized access to iCloud account data on Apple servers: Up to $50,000.
Apple said it decided to limit the scope of the program at the advice of other companies that have previously launched bounty programs. Those companies said that if they were to do it again, they would start by inviting a small list of researchers to join, then gradually open it up over time, according to Apple. Limiting participation not only gives Apple more control, but it also saves the company from dealing with a massive influx of potentially negative hacks leaking and an influx of "low-value" bug reports.