Apple will pay ethical hackers more than $ 1 million if they responsibly disclose dangerous security issues to the company, the company announced at the Black Hat security conference in Las Vegas.
The new "bug bounty", up from a previous maximum of $ 200,000, may even post what a security researcher could earn if they decided to skip the disclosure altogether and sell the bug to a nation-state or an "offensive" security company, "according to data shared by Maor Shwartz, a vulnerability broker at the same conference.
Apple's new error premium program is a marked step up from a previous offer, which was limited to a selection of pre-approved researchers. The company has also expanded it to reward hackers who find vulnerabilities in watchOS and tvOS, as well as iOS and macOS.
The amount of scientists will receive depends on the severity of the error they find. Making $ 1
It is true what scientists can expect to earn if they went down the "gray hat" route and sold their findings to authorities or contractors who intended to use it to hack state enemies, rather than fix it, according to Shwartz.
The "high market" for those kinds of buyers includes the same "zero-click RCEs" – external command execution – for which Apple offers its highest payout. It also includes all encryption vulnerabilities used by messaging services, including WhatsApp and iMessage, which can be used to intercept messages during transit and silently decrypt them.
Competition between governments and technology companies for knowledge about security issues is more open than it has ever been. On the corporate side, the increase in bug rewards has ensured that responsible for revealing weaknesses is not just some companies like Apple, Google and Microsoft expect hackers to do good by heart, but can actually help those who find them pay bills.
On the government side, however, companies such as Zerodium pioneered explicitly announcing that they would buy security issues, with the intention of passing them on to government customers who use them as part of the espionage business. In January, Zerodium increased its maximum payout to $ 2 million, the company announced, for any vulnerability that could remotely "jailbreak" an iOS device, enabling unauthorized software installations, without requiring user integration.
However, Apple is fighting back select security researchers pre-jailbroken iOS devices in an effort to help responsible researchers find bugs before their less ethical counterparts, according to a Forbes report earlier this month.