Apple makes bug bounty program public and lifts payout ceiling to $1.5m

More money on offer to skilled flaw finders

Apple has opened up its lucrative and revamped bug bounty program to the public.

The program – previously limited to a select (invited) few – is now open to everybody capable of finding a bug within macOS, iOS, tvOS, watchOS, or iCloud.

The most severe classes of vulnerabilities are eligible for payouts of up to $1 million or more in cases where a bug occurs in release and beta versions of Apple’s technology. The scale of payout depends on an exploit chain's complexity and severity but can reach up to a maximum of $1.5m.

The biggest paydays would come from the confirmed discovery of a network attack without user interaction that achieves persistent infection of a targeted device despite Apple’s security precautions.

Lower but still substantial paydays would come from the discovery of a network attack that requires user interaction ($150k-$250k), a device attack via user-installed app ($100k-$250k), and a device attack via physical access (lock screen bypass, $100k; vulnerabilities that allow user data extraction, $250k).

Bugs that allow for unauthorized access to iCloud account data on Apple servers would earn bounty hunters up to $100k.

To be eligible for payouts, researchers need to find bugs in devices set up with a “standard configuration and, where relevant, on the latest publicly available hardware”.

Read more bug bounty news from The Daily Swig

“Issues that are unknown to Apple and are unique to designated developer betas and public betas, including regressions, can result in a 50% bonus payment,” Apple explained.

“All security issues with significant impact to users will be considered for Apple Security Bounty payment, even if they do not fit the published bounty categories.

“Apple Security Bounty payments are at Apple’s discretion.”

Bug hunters need to be the first to tell Apple about the issue – and hold off of going public about their findings until Apple publicly releases a security advisory – to qualify for a payout.

“Reports that include a basic proof of concept instead of a working exploit are eligible to receive no more than 50% of the maximum payout amount,” Apple cautioned.

Trailing the newly announced program last month, Apple’s Ivan Krstić said on Twitter that an iOS Security Research Device program, touted as “an unprecedented, Apple-supported research platform for talented researchers”, is in the pipeline for next year.

Apple offers public recognition to those researchers who submit valid reports, and will match donations of the bounty payment to specified qualifying charities.

Reaction from bug hunters has been (mostly) positive with some comparing Apple’s rewards to lesser payouts offered under comparable programs.

“Why did I decide to focus on Microsoft instead of Apple. Bug bounty for a Windows Zeroclick is $30k,” said Marcus Hutchins in a Twitter update.

Security researcher thegrugq was more cautious: “Has anyone actually been paid for any Apple bug bounty they submitted?”

Bug bounty pioneer Katie Moussouris warned last month that the high payout offers from Apple and Google could have unintended consequences by making it harder for vendors to retain security-skilled software developers.

“This price for external research raises questions for retention & recruitment of internal talent meant to prevent flaws,” she cautioned, adding that a vendor program could never keep up with those on offer in the black market.

YOU MIGHT ALSO LIKE Android hacks eclipse iOS exploits on vulnerability marketplace