×

Apple is offering up to $200,000 for hackers to find flaws in its products

Apple is offering hackers up to $200,000 to find security loopholes in its products, the company announced on Thursday, as it joins a number of major technology firms that have so-called "bug bounty programs".

The amount researchers are paid are based on the severity of the flaw they find. The lowest reward is for $25,000, going up to $200,000.

It's one of the biggest rewards in the industry. Uber for example offers hackers up to $10,000 while Google's maximum prize pot is $20,000.

The program will be invite-only to begin with and potential hackers will be chosen from a group of experts who have previously made security flaws known to Apple. To get their reward, researchers will need to provide a proof-of-concept to Apple.

Apple Store in New York City
Spencer Platt | Getty Images
Apple Store in New York City

Often the rationale behind a bug bounty program is to allow people who may not work at the company, but have a good expertise in cybersecurity, to identify and remove any vulnerabilities. It can be hard for the security team at a company to know all the flaws in a system.

Apple's program was announced at the Black Hat Conference in Las Vegas by Ivan Krstić, Apple's head of security engineering and architecture, and went into technical detail about the security related to AutoUnlock, HomeKit, and iCloud Keychain. For Apple, this is an unusual amount of openness around the security of its products.

Bug bounty programs are often a way to deter hackers from finding vulnerabilities then selling them on the black market. But these so-called "zero day exploits" – a hack that has been found before a patch has been discovered – can sell for much more on the "dark web" than a company is paying on its bug bounty schemes.

Earlier this year, Apple was locked in a tussle with the FBI over access to the iPhone used by a shooter in last year's San Bernardino attacks. Authorities eventually unlocked the phone through a third-party but paid the company $1 million to carry out the hack.