Apple launches high-reward bug bounty program

Apple will offer rewards of up to US$200,000 (A$261,612) to researchers who find critical security bugs in its products as part of its first-ever bug bounty program.

The program - unveiled at the Black Hat conference in Las Vegas today - offers some of the biggest bounties in the industry to date.

It will initially be limited to about two dozen researchers who Apple will invite to help identify hard-to-uncover security bugs in five specific categories.

Those researchers have been chosen from the group of experts who have previously helped Apple identify bugs, but have not been compensated for that work, the company said.

The most lucrative category, which offers rewards of up to US$200,000, is for bugs in Apple's "secure boot" firmware for preventing unauthorised programs from launching when an iOS device is powered up.

Apple said it decided to limit the scope of the program at the advice of other companies that have previously launched bounty programs.

Those companies said that if they were to do it again, they would start by inviting a small list of researchers to join, then gradually open it up over time, according to Apple.

Security analyst Rich Mogull said limiting participation would save Apple from dealing with a deluge of "low-value" bug reports.

"Fully open programs can definitely take a lot of resources to manage," he said.

Apple declined to say which firms provided advice.

Such rewards are currently offered by dozens of firms, including Facebook, Google, Microsoft, Tesla Motors and Yahoo.

Microsoft, which has handed out US$1.5 million in rewards to security researchers since it launched its program three years ago, also offers rewards for identifying very specific types of bugs. Its two biggest payouts have been for US$100,000 each.

Not all bounty programs are as focused as the ones from Apple and Microsoft.

Facebook, for example, has an open program that offers rewards for a wide-range of vulnerabilities. It has paid out more than US$4 million over the past five years, with last year's average payment at US$1780.

In March, Facebook paid US$10,000 to a 10-year-old boy in Finland who found a way to delete user comments from Instagram accounts.