Apple this week kicked off its public bug bounty program, just over four months after announcing it officially at the Black Hat cybersecurity conference in Las Vegas.
The iPhone maker has been running a bug bounty program for over three years, but kept it private until now. In August this year, however, Apple announced that it would make the bug bounty program public, and also that the maximum rewards for critical vulnerabilities have been increased.
The program, which the company calls Apple Security Bounty, welcomes security researchers looking to discover and report vulnerabilities in iOS, iPadOS, macOS, tvOS, watchOS, and iCloud.
“As part of Apple’s commitment to security, we reward researchers who share with us critical issues and the techniques used to exploit them. We make it a priority to resolve confirmed issues as quickly as possible in order to best protect customers,” the Cupertino-based tech company says.
The company is willing to pay as much as $1,000,000 for critical vulnerabilities that could be exploited without user interaction to achieve kernel code execution with persistence and PAC (Pointer Authentication Codes) bypass.
The lowest maximum payouts are of $100,000, for unauthorized access to iCloud account data on Apple servers, lock screen bypass (device attack via physical access), and unauthorized access to sensitive data (device attack via user-installed app).
Network attacks that result in one-click access to sensitive data could earn researchers $150,000, while those resulting in one-click kernel code execution could receive rewards of up to $250,000. The maximum payouts for zero-click exploits range from $250,000 to $1,000,000.
Apple also announced that security researchers could receive a 50% bonus payment for discovering and reporting issues “that are unknown to Apple and are unique to designated developer betas and public betas, including regressions.”
To be eligible, security researchers should be the first to report the issue they identified, provide a clear report and a working exploit, and refrain from disclosing the vulnerability publicly before Apple releases their own security advisory.
The company also says that it would not pay more than half of the maximum payout amount for a basic proof-of-concept instead of a working exploit, and reports that don’t include necessary information to efficiently reproduce the issue “will result in a significantly reduced bounty payment, if accepted at all.”
Some security researchers have already reacted to this requirement, suggesting that the promised maximum payouts might be difficult to earn. Others have complained that Apple’s security team doesn’t respond to submissions as fast as expected, and that it might even take months for a response to arrive.
“Very nice bounties. But the response time is frustrating. I send one report few months ago and only receive the same answer when ask for updates “we currently do not have updates to share with you’,” one researcher says.