What it is: Apple has announced a new bounty program paying people up to $200,000 to find security flaws in their software.
In the early days of computers, nobody even thought about security. That’s why security in Windows was initially so poor because security had to be bolted on after the fact. Microsoft made tremendous strides in increasing security with the Windows XP service pack 3 update and then continued improving security with each subsequent version of Windows.
In the old days, people thought that if they kept their code secret, it would increase security, which was a myth known as security by obscurity. Unfortunately keeping code secret simply meant that if someone did discover a security flaw, they could cause tremendous damage because nobody else would likely know about this flaw.
That’s why most companies now offer a bug bounty program, paying people to discover (and reveal) security flaws in their software. The idea is that it’s cheaper to pay people to reveal security flaws now than wait until someone takes advantage of the security flaw and hurts the reputation of the software and manufacturer.
Yet for the longest time, Apple resisted paying for security flaws until now. However with more at stake with growing reliance on iOS for Apple Pay, and possible software to run an Apple Car, it’s crucial that consumers trust Apple’s software. Apple’s own engineers can’t find all possible security flaws so it’s important to rely on outsiders. Such outsiders could try to exploit these security flaws for their own benefit, but it’s usually far more lucrative for them to take the guaranteed payout of revealing the security flaw to the company instead.
Apple plans to pay for the following types of security flaws:
- Vulnerabilities in secure boot firmware components: Up to $200,000
- Vulnerabilities that allow extraction of confidential material from Secure Enclave: Up to $100,000
- Executions of arbitrary or malicious code with kernel privileges: Up to $50,000
- Access to iCloud account data on Apple servers: Up to $50,000
- Access from a sandboxed process to user data outside the sandbox: Up to $25,000
Will this make Apple’s software more secure? Probably. Will this make Apple’s software immune from hacking or bugs? Never. All types of software have bugs and security flaws in them. It’s just a matter of finding and fixing them before anyone can use them for malicious purposes.
So expect Apple’s software to start getting more secure and reliable. It may not happen overnight, but at least paying a bounty for discovering bugs and security flaws is a massive step in the right direction.