Apple has officially opened its bug bounty program to everyone, offering up cash rewards to researchers who discover and report bugs, vulnerabilities and other issues.
Previously, the initiative was invite-only, which attracted criticism as it incentivized people not invited to the program to sell vulnerability details to companies or governments who would exploit them. Further, the company increased payouts after complaints about low rewards.
Apple now has a ‘Security Bounty’ website that details eligibility for bug bounty submissions. To be eligible for an Apple Security Bounty, the vulnerability must be on “the latest publicly available versions of iOS, iPadOS, macOS, tvOS or watchOS with a standard configuration and, where relevant, on the latest publicly available hardware.”
The Cupertino, California-based company says that the rules are in place to protect customers until an update is available and allow Apple to quickly verify reports and create updates.
The site notes that researchers must:
- Be the first party to report the issue to Apple Product Security.
- Provide a clear report, which includes a working exploit.
- Not disclose the issue publicly before Apple releases the security advisory for the report. (Generally, the advisory is released along with the associated update to resolve the issue).
Further, Apple says that issues unknown to the company that are unique to designated developer betas and public betas can result in a 50 percent bonus payment:
- Security issues introduced in certain designated developer beta or public beta releases, as noted on this page when available. Not all developer or public betas are eligible for this additional bonus.
- Regressions of previously resolved issues, including those with published advisories, that have been reintroduced in a developer beta or public beta release, as noted on this page when available.
Payouts for different bug bounties
Finally, Apple published a list of the maximum payouts, which ranges from $100,000 to $1 million USD (between $131,680 and $1.32 million CAD). With the 50 percent bonus, the maximum payout is $1.5 million USD (about $1.98 million CAD). On top of that, Apple will pay the same amount to a charity as well.
- Unauthorized access to iCloud account data on Apple Servers – $100,000
- Device attack via physical access
- Lock screen bypass – $100,000
- User data extraction – $250,000
- Device attack via user-installed app
- Unauthorized access to sensitive data – $100,000
- Kernel code execution – $150,000
- CPU side channel attack – $250,000
- Network attack with user interaction
- One-click unauthorized access to sensitive data – $150,000
- One-click kernel code execution – $250,000
- Network attack without user interaction
- Zero-click radio to kernel with physical proximity – $250,000
- Zero-click unauthorized access to sensitive data – $500,000
- Zero-click kernel code execution with persistence and kernel PAC bypass – $1,000,000
All the above prices are in USD. If researchers don’t include a working exploit, they can only receive up to 50 percent of the maximum payout amount, while reports lacking information Apple’s needs to recreate the issue may not be accepted at all.
You can learn more about the bug bounty here.