As promised back in August, the Apple bug bounty program is now open to all. The initiative had been invitation-only. Now, any security researcher who finds bugs in iOS, macOS, tvOS, watchOS, or iCloud will be eligible to receive a cash payout for disclosing the vulnerability to Apple.
Apple has published a rate-card of maximum payouts, ranging from $100k to $1M. A 50% beta bonus means that the maximum payout could be as much as $1.5M. Apple will also pay an identical amount to a charity.
Apple had recently increased the maximum payouts, following complaints about the low reward amounts, which many said made it more likely that researchers would be tempted to sell security vulnerabilities to the bad guys for much more money.
The Apple Security Bounty microsite offers the details about the program, including eligibility.
In order to be eligible for an Apple Security Bounty, the issue must occur on the latest publicly available versions of iOS, iPadOS, macOS, tvOS, or watchOS with a standard configuration and, where relevant, on the latest publicly available hardware. These eligibility rules are meant to protect customers until an update is available, ensure Apple can quickly verify reports and create necessary updates, and properly reward those doing original research. Researchers must:
- Be the first party to report the issue to Apple Product Security.
- Provide a clear report, which includes a working exploit (detailed below).
- Not disclose the issue publicly before Apple releases the security advisory for the report. (Generally, the advisory is released along with the associated update to resolve the issue).
Issues that are unknown to Apple and are unique to designated developer betas and public betas, including regressions, can result in a 50% bonus payment. Qualifying issues include:
- Security issues introduced in certain designated developer beta or public beta releases, as noted on this page when available. Not all developer or public betas are eligible for this additional bonus.
- Regressions of previously resolved issues, including those with published advisories, that have been reintroduced in a developer beta or public beta release, as noted on this page when available.
Topic | Maximum Payout | |
---|---|---|
iCloud | Unauthorized access to iCloud account data on Apple Servers | $100,000 |
Device attack via physical access | Lock screen bypass | $100,000 |
User data extraction | $250,000 | |
Device attack via user-installed app | Unauthorized access to sensitive data** | $100,000 |
Kernel code execution | $150,000 | |
CPU side channel attack | $250,000 | |
Network attack with user interaction | One-click unauthorized access to sensitive data** | $150,000 |
One-click kernel code execution | $250,000 | |
Network attack without user interaction | Zero-click radio to kernel with physical proximity | $250,000 |
Zero-click unauthorized access to sensitive data** | $500,000 | |
Zero-click kernel code execution with persistence and kernel PAC bypass | $1,000,000 |
For a user to receive the maximum payout from Apple’s bug bounty program, they’ll need to include a working exploit, a lower sum will be offered otherwise. An additional page, with sample payouts offers more detail.
Apple has also published its 2019 Platform Security guide.