In 2016, technology heavyweight Apple (AAPL) started its iOS bug bounty program with a maximum reward of $200,000. It would offer cybersecurity professionals a reward if they managed to penetrate the iPhone and find a security defect. This year, Apple is offering a prize of up to $1 million for the identification of security vulnerabilities in the iPhone and its other devices.
This marks the first time Apple has included other devices in its bounty program. It’s expanded the program to its MacBook, Apple TV, iCloud, and Apple Watch operating systems.
It’s possible Apple is expanding its bounty program to other devices as a result of a Mac incident earlier this year. According to a report, in February, Germany’s Linus Henze “discovered a macOS Keychain exploit but refused to hand over details of the flaw in protest of Apple’s not offering a macOS bug bounty. Henze eventually handed over the details of the flaw, saying the vulnerability was too important to not disclose.”
The payout will depend on the extent of the security flaw detected. Researchers who detect a “zero-click, full chain kernel code execution attack” will be eligible for a $1 million bounty. Apple will also pay a 50.0% bonus to researchers who can successfully detect security flaws in the company’s free software releases.
Huge customer base
Apple has a huge customer base across all its devices. It’s sold over 1 billion iPhones and millions of MacBooks to date. The Apple Watch is quickly gaining traction among users, so the company is rightly focused on ensuring data and device security.
Recently, cybersecurity company Check Point Software (CHKP) identified vulnerabilities in Apple devices that could potentially affect 1.4 billion users. According to Check Point, hackers can access old iPhone and iPad devices via the Contacts application. They may have access to user passwords and other personal information after exploiting this bug.
Apple’s bounty program will likely attract individual researchers as well as participation from private companies. Apple claims the bug bounty program has been successful since its launch. Researchers have identified and reported over 50 flaws since August 2016.