Apple offering up to $200,000 for security bugs starting in fall
Apple will finally start paying cash rewards to researchers who find security problems in their products. But the news left some experts wondering why Apple was so late to the party.
So-called “bug bounty” programs are now standard among most tech giants. They can help keep consumers safe by encouraging independent researchers to help companies fix security flaws. When a researcher finds a legitimate problem, rewards can range all the way up to the six figures.
But Apple historically had a different approach — offering a tip line where people could report security problems, but not handing out any reward other than putting the researcher’s name on a thank you page on its website.
“It was kind of an insult,” said Matthew Green, a computer science professor at Johns Hopkins University who has previously told Apple about security problems in its products.
Apple now has a chance “to compete for the type of exploits available and control how they’ll be used,” said Jeff Pollard, principal analyst focused on IT security at Forrester Research.
Apple will launch the rewards program in September. It will only reward researchers for finding a few categories of problems at launch. The biggest payouts will be for bugs affecting software built into components that help Apple’s devices startup securely: Researchers who find one of those could get up to $200,000 US.
Apple Pay may be a factor that pushed the company to be more aggressive about getting help from the security community, said Green.