Apple Announces Bug Bounty At Black Hat With Maximum $200,000 Reward

msm1267 quotes a report from Threatpost: Apple closed out Black Hat today with a long-awaited announcement that next month it will launch a bug bounty. The Apple Security Bounty will be an invitation-only program, open to two dozen researchers at the outset, said Ivan Krstic, head of security engineering and architecture. The maximum payout is $200,000 and five classes of bugs in iOS and iCloud are in scope. Apple said the maximum reward will be $200,000 for vulnerabilities and proof-of-concept code in secure boot firmware components. It will also pay $100,000 for the extraction of confidential material protected by its Secure Enclave Processor, $50,000 for code execution flaws with kernel privileges or unauthorized access to iCloud account data on Apple servers, and $25,000 access from a sandboxed process to user data outside that sandbox.

Invitation-only

I don't think Apple understands the concept of the bug bounty program. Making it invitation-only will not persuade those who find bugs and have not been invited from sharing the details of the bug with you.

invitation only... $200,000 max

[fustakrakich]

In the meantime the uninvited enjoy much greater rewards exploiting the bugs

Re:invitation only... $200,000 max

[Kjella]

In the meantime the uninvited enjoy much greater rewards exploiting the bugs

So? You also make more money selling crack cocaine than burgers at McDonald's, bounties are so white hats can make a living for those who want to be legit security researchers. I really doubt there's many that flip-flop between white hat and black hat depending on who's the highest bidder.