Apple Officially Opens Bug Bounty Program To All Researchers Apple has officially opened its bug bounty program to all security researchers. Starting today, any security researcher who finds an error in iOS, macOS, tvOS, watchOS, or iCloud can get a bounty payment by disclosing the vulnerability to Apple, whereas previously only available to iOS devices.
As part of Apple’s commitment to security, we reward researchers who share with us critical issues and the techniques used to exploit them. We make it a priority to resolve confirmed issues as quickly as possible in order to best protect customers. Apple offers public recognition for those who submit valid reports, and will match donations of the bounty payment to qualifying charities.
Apple also increased the upper limit of bounty from $200,000 to $1 million per vulnerability based on the nature of the security breach, for instance, an zero-click kernel code execution with persistence and kernel PAC bypass would receive the largest bonus.
The company said that if a flaw is discovered in Beta software, the payment would increase by 50 percent over the standard bonus (i.e. up to $1.5 million) which allows the company to resolve the issue before the OS version is made public. Apple also offers the same incentives for so-called “regression bugs,” which were bugs that Apple had patched in the past but which were mistakenly reintroduced in subsequent versions of the software.
When submitting the report, researchers must provide a detailed description of the problem, any prerequisites and steps to get the system to an impacted state, a reasonably reliable exploit for the issue being reported, and enough information for Apple to reliably reproduce the problem.
Next year, Apple plans to offer special iPhones to censored and trusted security researchers and hackers who can provide deeper access to the underlying software and operating system, making it easier to find vulnerabilities. Such iPhones are part of Apple’s forthcoming iOS Security Research Device Program, which seeks to enable other security researchers to uncover bugs and eventually provide users with more secure devices