时间:2025-04-04 05:26:29 来源:网络整理编辑:探索
Apple is launching its first security bounty. The news comes on the heels of a presentation from App
Apple is launching its first security bounty. The news comes on the heels of a presentation from Apple’s Ivan Krstic at the annual Black Hat USA security conference in Las Vegas.
Krstic runs security engineering and architecture at Apple and presented an in-depth look at iOS security. This was Apple’s first appearance at Black Hat in four years.
SEE ALSO:Apple opens up on how it approaches security following FBI battleSince its battle with the FBI this spring, Apple has been more outwardly focused on discussing its commitment to security. To that end, Apple is opening up its first security bounty program. The program, which will roll out in September, will accept security submissions in a number of areas. Depending on the type of exploit found, researchers and their organizations will get more money.
The categories and issues up for consideration, along with their bounties, are as follows:
Secure boot firmware components – up to $200,000.
Extraction of confidential material protected by the Secure Enclave Processor – up to $100,000.
Execution of arbitrary code with kernel privileges – up to $50,000.
Unauthorized access to iCloud account data on Apple servers – up to $50,000.
Access to sandboxed processes to user data outside of the sandbox – up to $25,000.
Organizations can accept the money Apple offers or they can donate it to a charity of their choice. Apple says that if researchers choose to donate to a charity, they will consider matching that donation.
Apple tells meit may also award researchers who share significant critical vulnerabilities not outlined above.
Unlike many security bounty programs, this program is notopen to the public. For now, Apple is partnering with a dozen or so security researchers and organizations to focus on finding flaws.
But Apple tells me that this isn’t an attempt to be exclusive. The plan is to open it up to more individuals and organizations over time. Apple also says that if someone not associated with an invited organization responsibly discloses a vulnerability, that feedback will be welcome and they may be invited to join the formal process.
Apple says that it spoke to a number of other companies who have already run successful security bounties and that advice – which was to start small (as to reduce the signal/noise ratio) and then ramp up – contributed to the decision to only involve a few organizations and researchers at the start.
Although it’s great that Apple is introducing a security bounty, it's worth noting that the company has taken its time getting here. Nearly every other major tech company – including Microsoft, Google and Facebook – have offered security bounties for years.
So what took so long?
Apple tells me that although it has been working with outside researchers for years, it has consistently received feedback – from experts inside and outside of the company – that it is more difficult to identify significant security vulnerabilities without a bounty program.
As a result, it makes sense that the company would look (finally!) to outside organizations and researchers to offer their own feedback.
It probably doesn’t hurt that the focus on Apple’s security is now more pointed than ever before. With more eyes on Apple security – and more people trying to bypass it (whether it’s law enforcement or hackers), it makes sense to get more eyes focused on finding flaws.
I understand the need to limit -- at least initially -- involvement in the bounty program, but I do hope Apple commits to expanding the individuals and groups involved quickly. iOS as a platform deserves as many eyes on it as possible.
For now, the focus of the bounty is on iOS, but Apple says that it is open to expanding the bounty program to other platforms (including macOS) and other areas, once the program ramps up.
Have something to add to this story? Share it in the comments.
TopicsAppleCybersecurityiOSiPhone
Hiddleswift finally followed each other on Instagram after 3 excruciating days2025-04-04 05:02
India vs. Canada 2024 livestream: Watch T20 World Cup for free2025-04-04 04:51
TikTok child privacy complaint sent to U.S. Dept. of Justice2025-04-04 04:43
Connecticut Sun vs. Minnesota Lynx 2024 livestream: Watch WNBA for free2025-04-04 04:32
Nancy Pelosi warns colleagues after info hacked2025-04-04 04:23
This 'Kinds of Kindness' TikTok filter is as mystifying as the movie2025-04-04 04:17
'Doctor Who' does 'Black Mirror' in 'Dot and Bubble'2025-04-04 04:10
Walmart+ Week robot vacuum deals: A few hidden gems2025-04-04 03:16
We asked linguists if Donald Trump speaks like that on purpose2025-04-04 03:16
The best romantic movies on Netflix right now2025-04-04 02:47
Felix the cat just raised £5000 for charity because she's the hero we all need2025-04-04 05:21
Slovenia vs. Denmark 2024 livestream: Watch Euro 2024 for free2025-04-04 05:15
Google Search algorithm documents have leaked. Here's what experts are saying.2025-04-04 04:40
Creature with giant eggs filmed thousands of feet undersea2025-04-04 04:27
Tesla's rumored P100D could make Ludicrous mode even more Ludicrous2025-04-04 04:00
Best iPad deal: Take $220 off an iPad Air (5th gen) at Best Buy2025-04-04 03:56
Roblox and the BBC have teamed up for UK election coverage2025-04-04 03:54
Best laptop deal: Get the Lenovo IdeaPad 1 for $230 off at Best Buy2025-04-04 03:35
Make money or go to Stanford? Katie Ledecky is left with an unfair choice.2025-04-04 03:07
Google Pixel 9 video leak: Check out the new bright pink model2025-04-04 02:41