Earlier this year at the Black Hat security conference, Apple announced that it’s expanding the bug bounty program (which is previously known to have only included iOS) to more of its platforms. Now, the Cupertino giant has officially opened its bug bounty program to all security researchers. It has been expanded to iPadOS, macOS, tvOS, watchOS, and even iCloud.
Apple’s Bug Bounty program was invite-only when it opened up back in 2016 but starting today, it’s possible for anyone to participate in the program. Researchers who discover a bug will have to be detailed about their account, such that Apple can reproduce the issue on their end.
The company has listed some critical bugs, along with their payouts, on their website but does add that “Issues that are unknown to Apple and are unique to designated developer betas and public betas, including regressions, can result in a 50% bonus payment.” The researchers can earn the highest payout ($1 million) by reporting vulnerabilities that allow for ‘zero-click or one-click attacks’. Other payouts include up to $100,000 for bypassing the lockscreen, unauthorized iCloud access, and up to $250,000 if you extract sensitive information even when the screen is locked.
If you’re a security researcher who wants to partake in the Bug Bounty Program, then the company has penned down a simple eligibility criterion. It states – “In order to be eligible for an Apple Security Bounty, the issue must occur on the latest publicly available version of iOS, iPadOS, macOS, tvOS, or watchOS with a standard configuration.” Also, Apple has mentioned that, where relevant, researchers should also use the latest publicly available hardware.
Apple’s Bug Bounty Program is one of the lucrative in the tech industry today and will be paying out as high as $1 million to researchers who discover critical vulnerabilities in the company’s softwares. It intends to match bounty payments with donations to qualifying charities and publicly recognize the researchers who submit valid reports going forward.