Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

Apple Kicks Off Public Bug Bounty Program

Apple this week kicked off its public bug bounty program, just over four months after announcing it officially at the Black Hat cybersecurity conference in Las Vegas.

Apple this week kicked off its public bug bounty program, just over four months after announcing it officially at the Black Hat cybersecurity conference in Las Vegas.

The iPhone maker has been running a bug bounty program for over three years, but kept it private until now. In August this year, however, Apple announced that it would make the bug bounty program public, and also that the maximum rewards for critical vulnerabilities have been increased.

The program, which the company calls Apple Security Bounty, welcomes security researchers looking to discover and report vulnerabilities in iOS, iPadOS, macOS, tvOS, watchOS, and iCloud.

“As part of Apple’s commitment to security, we reward researchers who share with us critical issues and the techniques used to exploit them. We make it a priority to resolve confirmed issues as quickly as possible in order to best protect customers,” the Cupertino-based tech company says.

The company is willing to pay as much as $1,000,000 for critical vulnerabilities that could be exploited without user interaction to achieve kernel code execution with persistence and PAC (Pointer Authentication Codes) bypass.

The lowest maximum payouts are of $100,000, for unauthorized access to iCloud account data on Apple servers, lock screen bypass (device attack via physical access), and unauthorized access to sensitive data (device attack via user-installed app).

Network attacks that result in one-click access to sensitive data could earn researchers $150,000, while those resulting in one-click kernel code execution could receive rewards of up to $250,000. The maximum payouts for zero-click exploits range from $250,000 to $1,000,000.

Apple also announced that security researchers could receive a 50% bonus payment for discovering and reporting issues “that are unknown to Apple and are unique to designated developer betas and public betas, including regressions.”

To be eligible, security researchers should be the first to report the issue they identified, provide a clear report and a working exploit, and refrain from disclosing the vulnerability publicly before Apple releases their own security advisory.

The company also says that it would not pay more than half of the maximum payout amount for a basic proof-of-concept instead of a working exploit, and reports that don’t include necessary information to efficiently reproduce the issue “will result in a significantly reduced bounty payment, if accepted at all.”

Some security researchers have already reacted to this requirement, suggesting that the promised maximum payouts might be difficult to earn. Others have complained that Apple’s security team doesn’t respond to submissions as fast as expected, and that it might even take months for a response to arrive.

“Very nice bounties. But the response time is frustrating. I send one report few months ago and only receive the same answer when ask for updates “we currently do not have updates to share with you’,” one researcher says.

Related: Apple Offers Up to $1 Million in Public Bug Bounty Program

Related: ‘Unpatchable’ iOS Bootrom Exploit Allows Jailbreaking of Many iPhones

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.