As mentioned the program is currently invite only currently
I'm a bit surprised, because you'd think that they'd have been doing this already.
I'm not familiar with the market but these seem low when you consider:
- The effort required to find them
- The damage that can be inflicted on Apple in terms of brand goodwill and the subsequent loss of sales, e.g. The SEP implications for ApplePay
- The damage that can be inflicted on users and 3rd parties, e.g. imagine the amount of cash banks would be on the hook for if someone managed to say write a worm that used iMessage/SMS to propagate without user knowledge (e.g. with the recent TIFF vulnerability), and transfer funds from the user's bank account? Or made calls to the baseband to dial shady $10/minute premium rate numbers in some banana republic at 3AM every night?
- The amount of money TLAs and black market actors allegedly pay per the TC article.
- How much money Apple actually has, especially all the offshore cash that can't be repatriated to the US without incurring exorbitant capital gains. These bug bounties could be be remitted from any Apple subsidiary.
- Large bug bounties would de facto end jailbreaking
- Knowing Apple there would be endless NDAs and restrictive covenants before any payout is made.
IMO with all this considered the max payouts seem irrationally paltry.
I wonder if they are backfilling rewards to any of the external researchers who have been doing all of Apple's security research for the last decade. Just as an example, a single researcher from Google is credited with 11 separate vulnerabilities that would qualify for the $50k reward, in a single patchlevel of OS X (and the same person had five such credits in the patchlevel prior to that!). That's almost a million bucks worth of rewards in only half a year of disclosures.
Next they need to offer a bounty program for usability issues. iOS needs a lot of love since Forstall got squeezed out.
Wonder if they'll include their servers too; appears they're only doing the most recently released OS and hardware.
I've once found security bug on OS X/Mac (low chance of occuring, however gives complete access), reported complete steps to reproduce and solutions - received moreless copy-pasted response - two years, two OS X versions later - the bug is still there, even though it looks like 5 minutes fix...
The question is will they pay $1,000,000 for an exploit that unlocks an iphone?
http://www.reuters.com/article/us-apple-encryption-idUSKCN0X...
Am I reading it correctly that this is only iOS, and not other Apple software?
Charlie Miller must be happy.
Can't wait for "We pioneered InfoSec by our first-of-kind innovative bug bounty program" @ next WWDC.
Apple has bugs?
Apple's finally invented the bug bounty!
how about you fix bugs that are already well known, like how the sd reader dies after a while in el cap?
Finally, I'm going to be rich!
I wish Apple would just fix the myriad ordinary bugs, let alone focus on security.
This is definitely a step in the right direction. They say they're worried that their bounties won't be enough to dissuade anyone only interested in money from disclosing vulnerabilities to malicious sources. Honestly I think that a lot of people who discover these vulnerabilities would rather be paid slightly less money by disclosing to Apple and have the rep/CV fodder of "I broke Apple" that comes with a responsible public disclosure, than going through secret channels to make slightly more money at the risk of potential legal trouble.
And anyways, 200 grand is an astoundingly high ceiling for bug bounties; highest I've ever seen paid out was a "meager" 20k by Uber, and I thought that was a lot of money for a bug program at the time.