How much is a flaw in Apple software worth? The answer to that question has long been a mystery, because Apple didn't pay security researchers who reported bugs to the company.
That changed Thursday, when the head of Apple security, Ivan Krstic, said the company will pay bug bounties -- up to $200,000 -- to researchers who find and report vulnerabilities in specific Apple software.
"We are pleased to announce an Apple security bounty program," Krstic said during a talk at the Black Hat cybersecurity conference in Las Vegas. He also offered technical details on Apple's approach to safeguarding user data.
Bug bounties have long been a cybersecurity staple for big software makers, internet companies and other heavy-duty users of computers, including Microsoft, Yahoo, Chrysler and United Airlines. Last month, for instance, Google said in the last year it had paid $550,000 in total to people who had discovered vulnerabilities in its Android software. In February, Facebook said that since 2011, its bug bounty program has handed over $4.3 million to more than 800 researchers worldwide.
Cybersecurity researchers aren't shy about publishing their findings when they've discovered a flaw in an Apple system. The company is known for being less of a target for hackers, both because it has a smaller market share and because its products tend to be more secure. Finding one of these bugs is a prestigious accomplishment.
But not everyone tells the company what they've found, instead selling information on how to break into Apple systems to governments or hacking organizations. It's possible the new bug bounty will encourage researchers to tell Apple first.
That could help the company avoid a repeat of the surprise ending to its recent court battle with the US Department of Justice. Apple balked when the government asked it to help crack the encryption on an iPhone that belonged to one of the shooters in the San Bernardino, California, terrorist attack in December. Rather than drag matters out in courtroom appeals, the federal government decided instead to pay an unknown cybersecurity researcher to help break into the phone.
The government is estimated to have paid less than $1 million for the hacking technique, but the exact figure hasn't been revealed.
Maybe if Apple had been paying bounties for major flaws, it could have avoided that scenario, said Rich Mogull, CEO of cybersecurity research company Securosis. But when it comes to really valuable tools for hacking the company's products, he said, "Apple's not going to be able to out-pay the government or some Russian mafioso who can pay $1 million."
What the program will do is encourage researchers to go the distance with their findings, Mogull said. Rather than finding a flaw and moving on with their lives, experts will have a reason to prove the flaw could really let hackers in the door. That proof is required before Apple will pay up.
Apple said the bug bounty is meant to acknowledge how difficult it is to find a weakness in its systems. As the company has tightened the security around its products with encryption, which scrambles up user data, and continues to tightly control its software in general, the challenge of breaking that security has become greater.
The payouts will depend on where the flaw is found, and the program won't initially be open to just any old hacker, Apple said. When it launches in September, the program will include a few dozen security researchers the iPhone maker has previously worked with. But if a researcher outside that group finds a high-value flaw, Apple said, it will consider paying him or her as well.
"It's not meant to be any kind of exclusive club," Krstic said.
Black Hat Defcon 2018
reading•Hack Apple, get paid -- by Apple
Aug 17•Black Hat and Defcon cybersecurity experts share tips on how to protect yourself
Aug 15•Defcon hacking challenge swings a sledgehammer at unlucky computers
Aug 14•I got beaten up at Black Hat in the name of cybersecurity
Aug 13•Teddy Ruxpin learns some new words after a quick hack