Apple has quietly opened up its bug bounty program to the public and is offering up to $1.5 million in payouts for severe vulnerabilities.
Previously, the program was invitation-based and only selected security researchers who were approved were allowed to take part in the program to find vulnerabilities in the iOS mobile operating system.
Now, Apple has expanded its security bounty program to accept vulnerability reports for the latest versions of iOS, iPadOS, macOS, tvOS, watchOS and iCloud with a standard configuration and, where relevant, on the latest publicly available hardware, according to an Apple Security Bounty page.
The company has also increased its maximum bug bounty reward from $200,000 to $1,500,000.
Apple officially published a new page on its website detailing the bug bounty program’s rules on Thursday, which includes eligibility for the program, payment breakdown and how developers should submit reports.
In order to be eligible for an Apple Security Bounty, the issue must occur on the latest publicly available versions of iOS, iPadOS, macOS, tvOS, or watchOS with a standard configuration and, where relevant, on the latest publicly available hardware.
These eligibility rules are meant to protect customers until an update is available, ensure Apple can quickly verify reports and create necessary updates, and properly reward those doing original research. Researchers must:
- Be the first party to report the issue to Apple Product Security.
- Provide a clear report, which includes a working exploit (detailed below).
- Not disclose the issue publicly before Apple releases the security advisory for the report. (Generally, the advisory is released along with the associated update to resolve the issue).
Issues that are unknown to Apple and are unique to designated developer betas and public betas, including regressions, can result in a 50% bonus payment. Qualifying issues include:
- Security issues introduced in certain designated developer beta or public beta releases, as noted on this page when available. Not all developers or public betas are eligible for this additional bonus.
- Regressions of previously resolved issues, including those with published advisories, that have been reintroduced in a developer beta or public beta release, as noted on this page when available.
Further, Apple’s bug bounty program will pay between $100,000 for low-priority vulnerabilities, such as “unauthorized access to iCloud account data on Apple Servers,” and $1 million for “zero-click kernel code execution with persistence and kernel PAC bypass.” However, the researchers will need to submit a full exploit chain to claim their reward.
In addition to the funds given to researchers, Apple will match donations of the bounty payments to qualifying charities listed at Benevity.
You can find more information about Apple’s bug bounty program on its dedicated website.
Earlier this year, Google announced it will pay upto $1.5 Million in bug bounty for remotely hacking Titan M Chip in its pixel smartphones.