Apple Jumps On The Bug Bounty Train. Somewhat.
Apple is turning a new leaf as far as security it concerned. No, don't worry, it still has a firm stance on encryption. But now it is, for the first time, also looking outward for help in keeping its software and services more secure. At the Black Hat cyber security conference in Las Vegas, which is also unusual for Apple, it announced that, at long last, it will have a bug bounty program. That said, it's not yet open to everyone, which makes the $200,000 prize somewhat of an unreachable dream.
In the past, Apple has been more reclusive in the way it handles bugs and security exploits. But those no longer seem to scale today, with not only hackers but even governments seemingly working against it. Apple is now seeking outside help, but not yet to the full, open extent that other tech companies have.
Apple is limiting the program to about two dozen security researchers and groups, particularly those who have already reported bugs to Apple but have not been monetarily compensated. That's not the only way Apple is limiting its bug program. It will have very specific and limited categories only. The highest prized one, the one with a $200,000 bounty, focuses solely on bugs found in its secure boot firmware for devices.
As to why it chose to have the doors half open only, apparently it was at the advice of other companies who also have bug bounty programs, programs that are, however, more open. Those unnamed companies apparently regret starting out that big and told Apple to start with a smaller number first.
Larger bug hunting programs necessarily require more resources. And while Apple isn't exactlhy short on those, it is still overly cautious about opening the floodgates lest all hell break loose.
SOURCE: Reuters