Apple will pay ethical hackers more than a million dollars if they responsibly disclose dangerous security vulnerabilities to the firm, the company announced at the Black Hat security conference in Las Vegas, Guardian reported.
The new “bug bounty”, up from a previous maximum of $200,000, could even outbid what a security researcher could earn if they decided to skip disclosure altogether and sell the bug to a nation state or an “offensive security company”, according to data shared by Maor Shwartz, a vulnerability broker at the same conference.
Apple’s new bug bounty programme is a marked step up from a previous offering, which was limited to a select pool of pre-approved researchers. The company has also extended it to reward hackers finding vulnerabilities in watchOS and tvOS, as well as iOS and macOS.
The amount that researchers will receive depends on the severity of the bug they find. Earning $1m, for example, requires finding a weakness in iOS that can hack the kernel, the most secure layer of the operating system, without a single click from the user. There’s a potential bonus of another 50% if the bug is found in pre-release software, Apple said, potentially taking the earnings up to $1.5m for a single bug.
That matches what researchers could expect to earn if they went down the “grey hat” route and sold their finding to governments or contractors who intended to use it to hack state enemies, rather than fix it, according to Shwartz.
The “high-end market” for those sorts of buyers includes the same “zero-click RCEs”, remote command execution, for which Apple is offering its highest payout. It also includes any vulnerability in the encryption used by messaging services, including WhatsApp and iMessage, that could be used to intercept messages in transit and silently decrypt them.
Competition between governments and tech companies for knowledge of security vulnerabilities is more open than it has ever been. On the corporate side, the rise of bug bounties has ensured that responsibly disclosing weaknesses isn’t just something companies like Apple, Google and Microsoft expect hackers to do out of the goodness of their hearts, but can actually help those who find them pay the bills.