Apple has taken a couple of giant strides in making itself more open to security researchers. Not only has it opened up a new set of new bug bounties, but it has gone as far as to create a more hacker-friendly iPhone.
Obviously, the latter isn’t available to everyone and is intended for a small selection of trusted security researchers who have proven their worth by spotting exploits in locked-down Apple handsets before. The custom handsets will give this handful of owners a “root” shell as the default and will also have debugging privileges, Wired reports. Together, this should make finding vulnerabilities far easier, hopefully ensuring that fewer exploits make it out into the wild.
Related: Best free antivirus software
“We want to attract some of the exceptional researchers who have thus far been focusing their time on other platforms,” Ivan Krstic, head of security engineering and architecture at Apple, told an audience at the Black Hat Security Conference. “Today many of them tell us they look at our platform and they want to do research but the bar is just too high.”
As these hacker-friendly iPhones are only being provided to a limited number of security researchers, another change is potentially more significant. Apple’s bug bounty programme, itself only opened to select researchers three years ago, is to be expanded to macOS and other Apple operating systems.
Related: Best iPhone
More importantly, it will now be open to all, and sounds pretty generous with its rewards. Apple will pay anywhere from $100,000 for a lock screen bypass, all the way up to $1 million for remote attacks that can give a hacker total control of a computer without the owner doing anything. This reward gets a 50% bonus for exploits found when code is in beta, as the company is keen to snuff out bugs before new software reaches the majority of users.
This is a bold, but welcome move by the company. And by opening up the rewards program to all, some exploits that may have previously been sold on the black market might just end up being reported to Apple instead.
Is this the right approach from Apple? Let us know what you think on Twitter: @TrustedReviews.