|
Apple offers big cash
rewards for help finding security bugs
Send a link to a friend
 [August 05, 2016]
By Jim Finkle
LAS VEGAS (Reuters) - Apple Inc said it
plans to offer rewards of up to $200,000 (£152,433) to researchers
who find critical security bugs in its products, joining dozens of
firms that already offer payments for help uncovering flaws in their
products.
The maker of iPhones and iPads provided Reuters with details of the
plan, which includes some of the biggest bounties offered to date,
ahead of unveiling it on Thursday afternoon at the Black Hat cyber
security conference in Las Vegas.
The program will initially be limited to about two dozen researchers
who Apple will invite to help identify hard-to-uncover security bugs
in five specific categories.
Those researchers have been chosen from the group of experts who
have previously helped Apple identify bugs, but have not been
compensated for that work, the company said.
The most lucrative category, which offers rewards of up to $200,000,
is for bugs in Apple's "secure boot" firmware for preventing
unauthorized programs from launching when an iOS device is powered
up.
Apple said it decided to limit the scope of the program at the
advice of other companies that have previously launched bounty
programs.
Those companies said that if they were to do it again, they would
start by inviting a small list of researchers to join, then
gradually open it up over time, according to Apple.
Security analyst Rich Mogull said that limiting participation would
save Apple from dealing with a deluge of "low-value" bug reports.
"Fully open programs can definitely take a lot of resources to
manage," he said.
Apple declined to say which firms provided advice.
Such rewards are currently offered by dozens of firms, including
AT&T Inc, Facebook Inc, Google, Microsoft Corp, Tesla Motors Inc and
Yahoo Inc.
[to top of second column] |
A store employee uses an iPad during a preview event at the new
Apple Store Williamsburg in Brooklyn, New York, U.S., July 28, 2016.
REUTERS/Andrew Kelly
Microsoft, which has handed out $1.5 million in rewards to security researchers
since it launched its program three years ago, also offers rewards for
identifying very specific types of bugs. Its two biggest payouts have been for
$100,000 each.
Not all bounty programs are as focused as the ones from Apple and Microsoft.
Facebook, for example, has an open program that offers rewards for a wide-range
of vulnerabilities. It has paid out more than $4 million over the past five
years, with last year's average payment at $1,780.
In March, Facebook paid $10,000 to a 10-year-old boy in Finland who found a way
to delete user comments from Instagram accounts.
(Reporting by Jim Finkle; Editing by Andrew Hay)
[© 2016 Thomson Reuters. All rights
reserved.] Copyright 2016 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed.
 |
