When it comes to cybersecurity, sometimes the best defense is a good offense.
Hence, offering “bug bounties”—financial rewards for discovering potential vulnerabilities in software and systems—is becoming increasingly popular. Technology companies and large enterprises alike have been offering financial incentives, well into the six-figure range, for wily white-hat hackers who can find potential gaps that cybercriminals might exploit for financial gain or other reasons.
Bug bounties have become such a hot topic that last month’s Black Hat USA conference dedicated a half-day “micro-summit” to covering hosting a private versus a public bounty, writing a great bounty brief, the common pitfalls of bug bounty programs, legal ramifications, measuring and reporting on bug bounty program success, and crisis management surrounding bug discoveries. Technology industry behemoths Microsoft and Apple both announced last month that they would be expanding their bug bounty programs.
Apple, for example, is widening its bug bounty program to all security researchers, whereas previously it was invite-only. Apple has also significantly upped the ante on finding vulnerabilities, from a former top reward of $200,000 to as much as $1 million for those who find vulnerabilities in Apple’s iPhones and Macs. Now, any researcher can submit discovered vulnerabilities and earn as much as $100,000 for unauthorized access to iCloud account data on Apple servers, or up to $1 million for a full chain kernel code execution attack. Additionally, bugs found on “designated pre-release builds” are eligible for a 50% bonus.
Ivan Krstić, Apple’s head of security engineering, said that next year, Apple will provide special iPhones to security researchers to help them find security flaws in iOS. Apple did not start offering a bug bounty program until 2016, and even then, it was only for iOS and iCloud.
Apple has long been notoriously isolated, relying on its internal developers when it comes to handling security vulnerabilities. The fact that even this Silicon Valley giant is getting into the big bounty game, offering large rewards for those who can catch vulnerabilities, points to a sea change in the way that organizations view and handle IT security incursions.
For its part, Seattle-based tech titan Microsoft is offering $300,000 to anyone who can successfully hack Microsoft’s Azure public-cloud infrastructure service. Kymberlee Price, Microsoft security manager, said at Black Hat’s micro summit, “To make it easier for security researchers to confidently and aggressively test Azure, we are inviting a select group of talented individuals to come and do their worst to emulate criminal hackers.”