Apple will finally pay for the discovery of security vulnerabilities

We recently commented that Apple was one of the few companies in the technology industry that didn’t offer a rewards program for security breaches. Today, anyone who helps the company in this regard (finding and reporting vulnerabilities in the systems) “wins” only a nominal thanks. Fortunately, that will change soon.

This week, Apple participated in the Black Hat USA 2016. There, the company announced that it will finally open a program to financially reward security researchers and hackers who discover and report relevant vulnerabilities, whether in operating systems (iOS, macOS, watchOS and tvOS) or in new products (hardware such as Macs, iPhones, iPads , Apple TV, etc.). To give you an idea for a comparative basis, Google paid more than $ 2 million in rewards of this type in 2015 (the vast majority were vulnerabilities in Android).

As we can see in the tweet in Jay “saurik” Freeman (creator of Cydia, a store that allows you to install apps /tweaks in iGadgets with jailbreak), the rewards at least in this first moment go from $ 25k (failure to access processes in areas restricted to user data outside the sandbox) a $ 200k (vulnerabilities in secure boot firmware components).

The new program start in September, only for guests (a few dozen researchers) the idea that it expands over time. The good news is that if a person who is not part of the program has a significant vulnerability on their hands, they should be invited to be part of it. The company also explained that, although unusual (limit everything to guests), this is important to eliminate spurious reports and to make sure that reliable researchers have adequate support.

It is undeniable that a financial reward is a huge incentive for researchers and hackers to search for and disclose bugs to companies. Something like that was really missing from Apple. that situation where everyone wins: users (who have safer products / systems in their hands); hackers (who are financially rewarded) and Apple (who makes their ecosystem safer by paying only when something really important is discovered / reported).

(via The Verge, TechCrunch)