Apple launches bug bounty programme

• Apple follows Microsoft, Google with bounty programme
• Proper internal structure required to handle bug reports

 
 

APPLE has decided to follow Google and Microsoft in its software bug hunt policies. Ivan Krstic, Apple's Head of Security Engineering and Architecture, announced this at the recent Black Hat event.
 
For some time now, Apple had been operating an unofficial bug bounty programme. In fact, for many years, Apple had faced accusations of ignoring critical bugs and participating in a witch hunt of bug hunters.
 
According to Wired, Krstic said, "We've had great help from researchers like you in improving iOS security all along. Feedback that we've heard pretty consistently from my team at Apple and from researchers directly is that it's getting increasingly difficult to find some of those most critical security vulnerabilities. So the Apple Security Bounty Programme is going to reward researchers who share critical vulnerabilities with Apple."
 
The amount of bug bounty varies depending on the type of bug found. It could be as much as US $200,000 if you catch a bug in the Apple secure boot system. "We go to tremendous lengths when it comes to engineering these security systems that provide trust in how we protect user data," Krstic added.
 
See the CNBC video on Apple's new bug bounty program.
 

 
Apple is hardly the first company to operate such a program.  Since launching its bug bounty program in 2010, Google has paid over US $6 million to security researchers who located the bugs. Recently, the company increased the reward for bugs found in Chromebooks to US $100,000.
 
Google said in a statement, “That said, great research deserves great awards, so we are putting up a standing six-figure sum, available all year round with no quotas and no maximum reward pool.”
 
Not to be outdone, the US Department of Defence also recently launched its own bug bounty program. Microsoft has also recently expanded its bug bounty program to include the Nano Server installation option of Windows Server 2016 Technical Preview 5.
 
The tech giant is particularly interested in remote code execution vulnerabilities, privilege escalation and remote unauthenticated denial of service and other high-impact bugs in Nano Server DLLs such as information leaks and spoofing.  Researchers can earn between US $500 and US $15,000, depending on the severity of the flaw.
 
The effectiveness of a bug bounty program is closely linked to the maturity of the software development company than with the industry they are in. An externally facing bounty program like the one announced by Apple must have a strong set of internal controls and procedures to handle it.  
 
These controls include the management of communications between the submitter and the development teams, identifying duplicate submissions, and efforts to address the reports.
 
But not everything is rosy with the realm of bug bounties. Announcing a bug bounty program could negatively affect the public's perception of a company. Also some companies begin an internal program that does not follow through with appropriate incentives, time allocation, or buy-in from the relevant employees. This can lead to developers being turned off or a very public spat. There is also the risk of a bug submitter feeling that their reward was insufficient and then publishing the bug or vulnerability in a public forum before it can be fixed.

 
Related Stories:
 
Cloud-based security: Is it for you?
 
Security is a process
 
The six domains of network security, and fighting IT
 
For more technology news and the latest updates, follow us on Twitter, LinkedIn or Like us on Facebook.