Apple launches 'bug bounty,' offering cash for reports of security flaws

Apple Inc said itplans to offer rewards of up to $200,000 to researchers who findcritical security bugs in its products, joining dozens of firmsthat already offer payments for help uncovering flaws in theirproducts.

The maker of iPhones and iPads provided Reuters with detailsof the plan, which includes some of the biggest bounties offeredto date, ahead of unveiling it on Thursday afternoon at theBlack Hat cyber security conference in Las Vegas.

The program will initially be limited to about two dozenresearchers who Apple will invite to help identifyhard-to-uncover security bugs in five specific categories.

Those researchers have been chosen from the group of expertswho have previously helped Apple identify bugs, but have notbeen compensated for that work, the company said.

'Secure boot' bugs most lucrative

The most lucrative category, which offers rewards of up to$200,000, is for bugs in Apple's "secure boot" firmware for
preventing unauthorized programs from launching when an iOSdevice is powered up.

Apple said it decided to limit the scope of the program atthe advice of other companies that have previously launched
bounty programs.

Those companies said that if they were to do it again, theywould start by inviting a small list of researchers to join,
then gradually open it up over time, according to Apple.

Security analyst Rich Mogull said that limitingparticipation would save Apple from dealing with a deluge of"low-value" bug reports.

"Fully open programs can definitely take a lot of resourcesto manage," he said.

Apple declined to say which firms provided advice.

Such rewards are currently offered by dozens of firms,including AT&T Inc, Facebook Inc, Google,Microsoft Corp, Tesla Motors Inc and Yahoo Inc

Microsoft, which has handed out $1.5 million in rewards tosecurity researchers since it launched its program three yearsago, also offers rewards for identifying very specific types ofbugs. Its two biggest payouts have been for $100,000 each.

Not all bounty programs are as focused as the ones fromApple and Microsoft.

Facebook, for example, has an open program that offersrewards for a wide-range of vulnerabilities. It has paid out
more than $4 million over the past five years, with last year'saverage payment at $1,780.

In March, Facebook paid $10,000 to a 10-year-old boy inFinland who found a way to delete user comments from Instagramaccounts.