Apple, Panasonic to incentivize third-party security research

Apple, Panasonic and security vendor Kaspersky Labs all announced programs to reward hackers who find and report security flaws in their products this week. 

The rewards, known as bug bounty programs, are an increasingly important component of the cybersecurity landscape. 

ADVERTISEMENT

At a time when Internet of Things companies are still notorious for not allowing researchers to notify them of vulnerabilities for free, the tech sector’s heavyweights are flocking to bounties. They work as incentive programs for “vulnerability disclosure,” encouraging outside researchers to look at their products, and, in some cases, encouraging them not to publicly release vulnerabilities without telling them first.

Companies that already offer bounties include Microsoft, Google and Uber on down to niche products like Khan Academy and Pornhub. The Pentagon recently expanded its pilot bounty program after receiving more than 100 vulnerabilities in less than a month. 

Apple had accepted free advice, but is now willing to commit to an incentive structure. 

“We’ve had great help from researchers like you and the security mechanisms we build have gotten stronger,” said Ivan Krstić, Apple’s head of security engineering and architecture.

Apple may have been pushed by other developments in the industry. Last year, the company Zerodium offered $1 million for Apple vulnerabilities to allow it to remotely alter iOS phones. Zerodium was founded by Chaouki Bekrar, described by Motherboard once as “a notorious merchant of unknown” vulnerabilities on the grey market. 

Apple and Kaspersky made their announcements at the Blackhat security conference this week, and Panasonic is focusing on the DEF CON conference. Black Hat and DEF CON are the two large pillars of three conferences that run back to back to back in Las Vegas every year. 

Details are scarce about Panasonic’s plan, which appears to be focused on its avionics division and will be invitation-only. Apple’s, also invite-only, will offer up to $100,000 for bugs and will match donations to charity made from the payouts. Kaspersky will offer up to $50,000 total in its plan, open to anybody. 

The success of bounties has created a new market for companies that help facilitate the programs. Kaspersky and Panasonic are both using one of these companies known as HackerOne. 

“We think it’s time for all security companies, large and small, to work more closely with external security researchers by embracing bug bounty programs,” said Nikita Shvetsov, Kaspersky Labs’s chief technology officer in a written statement.