Apple is finally rewarding security researchers for finding security flaws in macOS. At the Black Hat conference today, Apple announced that it is greatly expanding its existing bug bounty program to include macOS, tvOS, watchOS, and iCloud. It will include rewards of up to $1 million for a zero-click, full chain kernel code execution attack.
While Apple originally started paying iOS bounties three years ago, researchers have only been paid for ones found in Apple’s mobile operating system. macOS was never included, and it’s led to a number of security researchers pushing the company to change course. Apple is now expanding its bug bounty program far behind just iOS.
iCloud, iOS, tvOS, iPadOS, watchOS, and macOS will now be covered. Apple is now opening its bug bounty program to all researchers and the payout is increasing beyond the current $200,000 maximum. The very maximum is a $1 million payout for iOS vulnerabilities that let attackers control a phone without any user interaction.
The updated bug bounty program could help convince more security researchers to report vulnerabilities to Apple. Earlier this year, a security researcher detailed a macOS flaw, but refused to submit it to Apple until the company pays researchers for Mac security flaws.
Security researchers have been reluctant to help Apple with its security, though. Apple now offers up to $1 million to security researchers who discover iOS vulnerabilities and report them, but these bugs are often way more valuable to sell on the black market.