At this week’s Black Hat security conference, Apple’s head of security engineering and architecture, Ivan Krstic, announced that the company will begin offering cash bounties of up to $200,000 to security researchers who discover vulnerabilities in the company’s products, TechCrunch reports. While companies such as Google and Microsoft have long offered similar programs to encourage hackers to find and disclose vulnerabilities, Apple has traditionally remained a holdout, despite the strong emphasis that the company places on security — particularly in an era when solutions like Apple Pay, HomeKit, and HealthKit are storing more and more crucial data on user’s iOS devices and in Apple’s cloud.
Yesterday’s announcement by Krstic represents another step in Apple’s efforts to try and cast off some of the opacity that’s traditionally surrounded its security architecture, a move also largely telegraphed by the opening of the iOS 10 kernel to scrutiny by security researchers (although Apple’s official response was that this was done for performance reasons). This new approach not only makes Apple more transparent, but allows a large community of hackers, researchers, and cryptographers to help Apple improve its security.
Even Krstic’s presence at Black Hat as a presenter, where he discussed security aspects of features like HomeKit, Auto Unlock, and iCloud Keychain, was a somewhat unprecedented step for Apple, which in the past has generally only sent representatives to these conferences as attendees.
Apple is unlikely to ever pay a high enough bounty to win over any hackers who are only interested in the payout — governments and black markets will pay considerably more, as evidenced by the $1.3 million that the FBI paid to break into the San Bernardino terrorist’s iPhone — but it will provide significant enough incentive to those who are interested in helping Apple improve the security of its products.