Apple Launches Bug Bounty Program, A Security 'Mea Culpa'
Kyle Alspach and Steven Burke
Apple’s new plan to pay researchers that uncover security vulnerabilities in its products is a much-needed move that should reduce Apple product security breaches, solution providers told CRN.
The Cupertino, Calif.-based company aims to give customers added confidence about using its products by enlisting the help of researchers through the bug bounty program--which will pay rewards of between $25,000 and $200,000, depending on how serious the flaw is that the researcher discovers.
The bug bounty program represents something of a reversal for Apple, which has enjoyed a reputation that the iPhone and Mac platforms are more secure than Windows-based devices.
"Having a vendor like Apple stand up with a mea culpa recognizing the security issues and doing something to resolve it creates an environment in which the end customer has more trust in the product and services that we as strategic service providers are coming to the table with," said Douglas Grosfield, the founder and CEO of Five Nines IT Solutions, a pioneering Kitchener, Ontario-based strategic service provider. "This is going to shorten the sales cycle and reduce the number of times strategic service providers get chopped off at the knees for representing a product that doesn't work so well for consumers."
By contrast, Google, maker of the Android operating system, offers a far smaller maximum reward than does Apple’s new program, of $20,000. Grosfield said he expects the bug bounty program to help stem some of the market share gains being made by Android devices.
"I think the approach Apple is taking here is going to help them regain some of the market share Android has stolen," he said. "I am starting to see less Apple devices out there and more Android devices. I think what companies like Apple are starting to realize is that it is not enough to once or twice a year do a massive forklift upgrade of their OSes. They need to be more proactive and take the same kind of approach Microsoft has with Patch Tuesdays. That regular and granular level of security patching may be a little less user friendly but it reduces the gap between the discovery of a vulnerability and a potential attack."
The bug bounty program could also mean that researchers will be less likely to independently publicize Apple product vulnerabilities that they uncover, said Jerry Zigmont, owner of MacWorks LLC, an Apple consultant based in Madison, Conn.
’This would be a great step to take just to sort of thwart any big sensationalized headlines that don’t necessarily have a lot of merit,’ Zigmont said. ’We’ve seen this before, where you read something in the paper about an Apple security vulnerability, but it’s just proof of concept—a lot of these are not out in the wild.’
Apple announced the new bug bounty program at the Black Hat hacker conference in Las Vegas.