Security Experts:

Connect with us

Hi, what are you looking for?


Management & Strategy

Apple Kicks Off Public Bug Bounty Program

Apple this week kicked off its public bug bounty program, just over four months after announcing it officially at the Black Hat cybersecurity conference in Las Vegas.

Apple this week kicked off its public bug bounty program, just over four months after announcing it officially at the Black Hat cybersecurity conference in Las Vegas.

The iPhone maker has been running a bug bounty program for over three years, but kept it private until now. In August this year, however, Apple announced that it would make the bug bounty program public, and also that the maximum rewards for critical vulnerabilities have been increased.

The program, which the company calls Apple Security Bounty, welcomes security researchers looking to discover and report vulnerabilities in iOS, iPadOS, macOS, tvOS, watchOS, and iCloud.

“As part of Apple’s commitment to security, we reward researchers who share with us critical issues and the techniques used to exploit them. We make it a priority to resolve confirmed issues as quickly as possible in order to best protect customers,” the Cupertino-based tech company says.

The company is willing to pay as much as $1,000,000 for critical vulnerabilities that could be exploited without user interaction to achieve kernel code execution with persistence and PAC (Pointer Authentication Codes) bypass.

The lowest maximum payouts are of $100,000, for unauthorized access to iCloud account data on Apple servers, lock screen bypass (device attack via physical access), and unauthorized access to sensitive data (device attack via user-installed app).

Network attacks that result in one-click access to sensitive data could earn researchers $150,000, while those resulting in one-click kernel code execution could receive rewards of up to $250,000. The maximum payouts for zero-click exploits range from $250,000 to $1,000,000.

Apple also announced that security researchers could receive a 50% bonus payment for discovering and reporting issues “that are unknown to Apple and are unique to designated developer betas and public betas, including regressions.”

To be eligible, security researchers should be the first to report the issue they identified, provide a clear report and a working exploit, and refrain from disclosing the vulnerability publicly before Apple releases their own security advisory.

The company also says that it would not pay more than half of the maximum payout amount for a basic proof-of-concept instead of a working exploit, and reports that don’t include necessary information to efficiently reproduce the issue “will result in a significantly reduced bounty payment, if accepted at all.”

Some security researchers have already reacted to this requirement, suggesting that the promised maximum payouts might be difficult to earn. Others have complained that Apple’s security team doesn’t respond to submissions as fast as expected, and that it might even take months for a response to arrive.

“Very nice bounties. But the response time is frustrating. I send one report few months ago and only receive the same answer when ask for updates “we currently do not have updates to share with you’,” one researcher says.

Related: Apple Offers Up to $1 Million in Public Bug Bounty Program

Related: ‘Unpatchable’ iOS Bootrom Exploit Allows Jailbreaking of Many iPhones

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.


Twenty-one cybersecurity-related M&A deals were announced in December 2022.