Apple announced on Thursday a new bug bounty program with rewards as high as $200,000 for some categories of exploit. The new program will initially only be available to a select group of security researchers who have previously found vulnerabilities in their products, but eventually will be opened up to additional groups and individuals.
Apple has traditionally been very secretive when it comes to details of their products, from launch dates to product specs, and this has included their approach to security internals and vulnerability reporting as well. But with this latest move, Apple joins many of the largest tech companies who have established bug bounty programs offering payouts for valid exploits. Among those companies, Apple now offers one of the highest payouts for researchers.
In the past Apple has avoided offering rewards for vulnerabilities because they felt it was not a significant motivator for parties who discover the vulnerabilities. From a TechCrunch article covering the announcement:
In the past, Apple has cited high bids from governments and black markets as one reason not to get into the bounty business. The reasoning went: If you’re going to be outbid by another buyer, why bother bidding at all? While $200,000 is certainly a sizable reward — one of the highest offered in corporate bug bounty programs — it won’t beat the payouts researchers can earn from law enforcement or the black market.
This move by Apple is one of many in recent years where they are starting to open up to the security research community.