Apple’s bug bounty program now offers a million dollar reward to anyone who can hack into an iPhone.
Since 2016, Apple has been rewarding select security researchers for finding vulnerabilities. Until recently, these participants had to be approved by Apple. The Cupertino based company is now expanding this program to anyone who finds a flaw.
The greatest reward, one million dollars, is offered to anyone who can hack into an iPhone without the user’s participation. Researchers at a black hat security conference recently bypassed Face ID, however, this required the iPhone user’s participation.
Apple’s bounty program has also expanded beyond iOS. They now pay rewards to anyone who can find a security flaw in the Apple Watch, iCloud, iPad and other devices.
Beyond the million dollar prize, lesser rewards are offered for less severe security breaches. Bypassing basic access on a device offers a $100,000 reward. There’s a $250,000 bounty for anyone who can collect user data from a device. If it’s high value user data, the reward goes up to $500,000
These bounty programs are highly effective and provide incentives for black hat researchers to protect security infrastructure. Apple has found about 50 defects with their security bounty program. The costs are reasonable, considering the expense of in-house quality assurance testing.
Competitors like Google and Microsoft have also been rewarding researchers for finding flaws. Google credits their program for finding 8,500 defects. They’ve paid out over $5 million in the past decade. Increases to their bounty program are expected to discover more challenging flaws.
Microsoft has taken this concept a step further, creating a software platform for reporting security defects. Azure Security Lab, launching soon, offers the ability to exploit security without causing any real world harm. Microsoft is also increasing bounty payments, with a top reward of $300,000. So far, the company has paid out $4.4 million in bug bounties.