Tech companies hold the keys to some of our most personal information — payment details, health records, chat logs with our lovers and archives of family photos — and, as we hand over more and more private data, it becomes increasingly important that companies earn our trust by keeping it secure.
Over the past five years, most major tech companies have instituted bug bounty programs, welcoming vulnerability reports from hackers and reimbursing for reports in cash. Companies that don’t have the technical expertise to run their own bounty programs have outsourced this important security work to outside firms.
But for years, Apple remained a holdout. While security has been a crucial part of its corporate narrative, Apple has quietly refused to pay for bug reports, at times frustrating security researchers who found it difficult to report flaws to the company. That changed today, as Apple’s head of security engineering and architecture, Ivan Krstic, announced to Black Hat attendees that Apple will begin offering cash bounties of up to $200,000 to researchers who discover vulnerabilities in its products.
Krstic’s announcement is part of Apple’s ongoing work to shed some of the secrecy around its security architecture and open up to the community of hackers, researchers and cryptographers who want to help improve its security. Even Krstic’s talk at Black Hat, which also covered the security features of HomeKit, AutoUnlock, and iCloud Keychain, is somewhat unusual for Apple. A representative for the company hasn’t spoken at Black Hat in four years and Apple typically saves security announcements for its own conference, WWDC.
“Apple historically had a rough relationship with researchers,” said Rich Mogull, CEO ofSecurosis and a security analyst who keeps tabs on iOS security. “Over the last 10 years, that has changed a lot and become more positive.” The bug bounty program, he says, is another step in the right direction.
In the past, Apple has cited high bids from governments and black markets as one reason not to get into the bounty business. The reasoning went: If you’re going to be outbid by another buyer, why bother bidding at all? While $200,000 is certainly a sizable reward — one of the highest offered in corporate bug bounty programs — it won’t beat the payouts researchers can earn from law enforcement or the black market. The FBIreportedly paid nearly $1 million for the exploit it used to break into an iPhone used by Syed Farook, one of the individuals involved in the San Bernardino shooting last December.
A bug bounty program is unlikely to tempt any hackers who are only interested in getting a massive payout. For those who only care about cash, Mogull said Apple could probably never pay enough. But for those who care about making an impact, getting a check from Apple could make all the difference. “This is about incentivizing the good work,” Mogull explained./ Read More at: https://techcrunch.com/2016/08/04/apple-announces-long-awaited-bug-bounty-program/