Apple has paid nearly $20 million to security researchers through its bug bounty program so far. That started in 2019. The company has also revamped its existing bug bounty platform, which will also contain more information about domains.
Apple has His website for external bug bounty researchers It has been completely revamped, although the public page has relatively sparse information compared to many other first-party bug bounty platforms. Also on the new site Maximum reward increased. This applies to Lock mode in iOS 16 and macOS 13. Lockdown targets users concerned about targeted cyber attacks, such as human rights activists, journalists or politicians. Researchers who can circumvent its security can receive up to $2 million in reward from Apple. The maximum amount of being able to run code in the kernel without user interaction is still a maximum of $1 million.
Apple writes In an accompanying blog post They have already paid out “nearly $20 million” in bonuses since launching the bug bounty program. The median wage is $40,000. In 20 cases, Apple paid more than one hundred thousand dollars for the vulnerability. Apple made its bug bounty program available to the public in 2019. This made it one of the last major tech companies to launch a bounty program.
The growth is “one of the largest in the history of the industry,” according to Apple, but it hasn’t been without conflict. Apple has been criticized for its bug bounty program in the past. Several times, researchers put details online about the vulnerabilities that were found, because often they haven’t heard anything from Apple. Also security researchers Who did Twicker talk to earlier? tell similar stories; Apple security researchers often have hearing impairments and don’t know exactly what to do with their reports.
Apple didn’t immediately recognize this issue in its blog post, but says it now responds more quickly to notifications. “Sometimes we got more requests than we expected, so we increased our team and made sure we could conduct an initial review of each report within two weeks, and mostly within six days,” the company wrote. It also makes it easier for hackers to pass on reports. You can do this via the website by signing in with your Apple ID. Researchers then go to a page where they see an update on the status of their report and where they can contact Apple directly.
From the end of November, it will also be possible for researchers to participate in the SRS program. These are iPhones for security researchers. This makes it easier for them to do research, but the program to get these devices has always been very limited.
“Lifelong zombie fanatic. Hardcore web practitioner. Thinker. Music expert. Unapologetic pop culture scholar.”