As Apple promised in August this year, the company finally launched a bug bounty program for all security researchers, offering cash prizes to anyone who reported vulnerabilities in iOS, macOS, watchOS, tvOS, iPadOS, and iCloud to society.
Since its launch three years ago, Apple’s bug bounty program was open only to invited security researchers and was rewarded only for reporting vulnerabilities in the iOS mobile operating system.
Nevertheless, speaking at a hacker conference in August of this year, Ivan Krstic, head of Apple Security Engineering and Architecture at Apple, announced the upcoming bounty bug program, which included three key points:
- a huge increase in maximum remuneration from $200,000 to $1.5 million,
- receive error messages for all of its latest operating systems and equipment,
- opening program for all researchers.
Also Read: Mini-Guide to Bug Bounty Hunting
Today, all security researchers and hackers can get paid for research and disclosure of information that is responsible for the actual security vulnerability in “the latest publicly available versions of iOS, iPadOS, macOS, tvOS or watchOS with a standard configuration,” as Krstić first announced on Twitter.
Even after sending a valid security error, researchers must follow some basic eligibility rules to receive rewards, including reporting details directly to the Apple security team, without revealing anything to the public before the company’s release patch and provides a clear connection with the exploit.
As shown in the above payout table for errors, $1 million will be awarded only to those who have a serious vulnerability leading to deadly execution of kernel code with a zero-click of the mouse, which can provide complete and constant control over the target device.
What else? In addition to a maximum reward of $ 1 million, Apple will also offer a 50% bonus to those who detect and report vulnerabilities in its pre-release software (beta) prior to its public release, resulting in a maximum reward of $1.5 million.
In addition, Apple will now also pay an additional bonus of 50% of the amount of an acceptable premium for reporting a “regression” vulnerability, which the company fixed in previous versions of its software, but “incorrectly” re-entered into the version. developer beta or public beta.
The Apple Security Bounty program also aims to encourage hackers who publicly disclose vulnerabilities they discovered in Apple products or sell them to private vendors such as Zerodium, Cellebrite, and Grayshift, which conduct zero-day exploits.