Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Bug Software The Almighty Buck Apple News Hardware Technology

Apple Announces Bug Bounty At Black Hat With Maximum $200,000 Reward (threatpost.com) 39

msm1267 quotes a report from Threatpost: Apple closed out Black Hat today with a long-awaited announcement that next month it will launch a bug bounty. The Apple Security Bounty will be an invitation-only program, open to two dozen researchers at the outset, said Ivan Krstic, head of security engineering and architecture. The maximum payout is $200,000 and five classes of bugs in iOS and iCloud are in scope. Apple said the maximum reward will be $200,000 for vulnerabilities and proof-of-concept code in secure boot firmware components. It will also pay $100,000 for the extraction of confidential material protected by its Secure Enclave Processor, $50,000 for code execution flaws with kernel privileges or unauthorized access to iCloud account data on Apple servers, and $25,000 access from a sandboxed process to user data outside that sandbox.
This discussion has been archived. No new comments can be posted.

Apple Announces Bug Bounty At Black Hat With Maximum $200,000 Reward

Comments Filter:
  • Invitation-only (Score:4, Insightful)

    by Anonymous Coward on Friday August 05, 2016 @08:07AM (#52650225)

    I don't think Apple understands the concept of the bug bounty program. Making it invitation-only will not persuade those who find bugs and have not been invited from sharing the details of the bug with you.

    • Yep, they ought to let you in to the "invite" group if you find something and they didn't "invite" you. For feck's sake Apple. Oh, wait, that's the 3rd paragraph in TFA.

      Seriously, this is how Apple do it - they start a small project off to get experience, then they roll it out. I can't see the problem here...

  • by fustakrakich ( 1673220 ) on Friday August 05, 2016 @08:09AM (#52650233) Journal

    In the meantime the uninvited enjoy much greater rewards exploiting the bugs

    • by Kjella ( 173770 ) on Friday August 05, 2016 @10:38AM (#52651095) Homepage

      In the meantime the uninvited enjoy much greater rewards exploiting the bugs

      So? You also make more money selling crack cocaine than burgers at McDonald's, bounties are so white hats can make a living for those who want to be legit security researchers. I really doubt there's many that flip-flop between white hat and black hat depending on who's the highest bidder.

      • You also make more money selling crack cocaine than burgers at McDonald's

        Exactly, that's why crack is available, delivered to your doorstep (soon by drone) 24/7. McDonalds sales amount to ~25 billion per year. Cocaine ~88 billion. Contraband is a bigger part of the economy than people like to admit. And those McDonalds employees could use a little supplemental income.

        If you want your bounties to work, you can't go around putting conditions on them. Most people are going to take the path of least resistance.

    • In the meantime the uninvited enjoy much greater rewards selling the bugs to the highest bidder

      FTFY

      • In the meantime the uninvited enjoy much greater rewards selling the bugs to the highest bidder

        FTFY

        Of course no bug bounty program yet installed has prevented that from happening. At least not if the target was in any way interesting to bidders.

  • Funny how all the security experts at BlackHat cheered the announcment, while the nincompoops at Slashdot are blowing raspberries. Well, one group thinks they at least have a chance to make some money.
  • Why not pay people to debug your code prior to selling that crap to others?

    "We won't wait until it is done before selling or we would make no money, and we cannot keep it secret that long either. We won't hire people to make good code, because we only hire people that do what little they are told, as fast and buggy as they can, so we can sell some more crap faster and have the buyers fix it themselves for no to low pay. We won't pay for work, only end results that we choose. And getting crap out there quick

Be sociable. Speak to the person next to you in the unemployment line tomorrow.

Working...