Apple finally provides bug bounties

poison-appleAfter years of being the only major software company which did not offer us bounties, the fruity cargo cult also known as Apple has finally started offering rewards to those who find bugs in its software.

Apple said it will offer rewards of up to $200,000 to researchers who find critical security bugs in its products. The Tame Apple Press claims that Apple’s scheme is the biggest and the most generous to date, but if you look at the scheme for about five seconds you can see that is not exactly true.

The programme will initially be limited to about two dozen researchers who Apple will invite to help identify hard-to-uncover security bugs in five specific categories. So basically you have to be invited, agree, and then only be allowed to find bugs that Apple wants your to find. You can’t find those which Apple wants to pretend does not exist.

Those researchers have been chosen from the group of experts who have previously helped Apple identify bugs, but have not been compensated for that work, the company said.

The most lucrative category, which offers rewards of up to $200,000, is for bugs in Apple’s “secure boot” firmware for preventing unauthorised programs from launching when an iOS device is powered up.

Apple said it decided to limit the scope of the programme at the advice of other companies that have previously launched bounty programs. Those companies said that if they were to do it again, they would start by inviting a small list of researchers to join, then gradually open it up over time.  The fear is that they will be hit by a deluge of “low-value” bug reports.

Microsoft, which has handed out $1.5 million in rewards to security researchers since it launched its program three years ago, also offers rewards for identifying very specific types of bugs. Its two biggest payouts have been for $100,000 each.