Apple has opened its bug bounty program to all security researchers, offering rewards of $1 million or more for discoveries of major flaws in its operating systems.
The program, which had been open by invitation only since its launch in 2016, now includes operating systems beyond iOS. Apple first announced at the Black Hat conference in August that it was opening the program to the public, and that iCloud, iPadOS, macOS, tvOS, and watchOS would be on the bug bounty list.
Researchers have to submit a detailed description of the issue, and enough detail to allow Apple to reproduce it.
The top payouts will go to researchers who discover bugs that affect multiple Apple platforms, especially if the issue affects the latest Apple devices and software. Any bug discovered in a beta version will earn the researcher a 50 percent bonus in addition to the standard reward. Among the potential payouts: A researcher who can bypass a device’s lock screen can earn between $25,000 and $100,000; gaining unauthorized iCloud access could net between $25,000 and $100,000; and extracting sensitive data from a locked device could be worth between $100,000 and $250,000.
The most lucrative bugs for researchers, however, will be those that produce attacks that take over a device without any action on the part of the user; so-called zero click attacks. The requirements are strict to collect a bounty in these instances and require a full exploit chain to be submitted with the report.
Even though it’s only been in place since 2016, Apple’s bug bounty program is one of the more lucrative among tech giants, and now joins competitors whose bug bounties already were open to the public.
And the timing of the bug bounty expansion may be partly in response to myriad problems with the very buggy iOS 13, which has included some security flaws. Bloomberg reported in November that in preparation for the release of iOS 14 in 2020, Apple has changed the way it tests software to be more in line with how Google, Microsoft, and other companies isolate and test changes in their software.
As part of the revised program, Apple said it will match donations of the bounty payments to qualifying charities, and publicly recognize researchers who submit valid reports.