Apple is opening its bug bounty program to all security researchers as well as expanding the systems they can be reported for. And hoo buddy, Apple is willing to slide them a pretty significant chunk of change for it, too.
Apple’s head of security for engineering and architecture Ivan Krstić tweeted the news Thursday (the move was previously announced at Black Hat this year). In a notice on its developer website, Apple notes the Security Bounty program for iOS, iPadOS, macOS, tvOS, or watchOS. As ZDNet noted, Apple’s bounty program was previously invitation-only and only extended to security issues with iOS.
In order to be eligible, the individual must be the first person to report the bug to Apple Product Security; they must hand over a report that includes a working exploit (Apple says it will only pay up to 50 percent of the award without one); and they need to keep the issue under wraps until Apple makes an official security advisory. For this, they will be paid handsomely.
The maximum payout can be anywhere from $100,000 for identifying lock screen bypasses and unauthorized access to iCloud data on the company’s servers to hundreds of thousands of dollars and up to $1 million for various one-click and zero-click scenarios. According to Apple, there is a $5,000 minimum payout across its various categories. And sure, Apple may be playing catch-up here. But this is a lot of money, even by the standards of other bounty programs.
The highest payout listed on Microsoft’s bug bounty page, for example, is a $300,000 award for finding a vulnerability related to its cloud service, Azure, and Microsoft pays a fraction of what Apple does for a zero-click. Google, however, does offer up to $1 million for identifying an exploit related to the Pixel Titan M and matches Apple’s $100,000 reward for lock screen bypass.
Apple’s bug bounty program has been a pain point for security researchers for quite a while. A security researcher who discovered a macOS Keychain exploit earlier this year, for example, engaged in something of a public standoff with the company over is glaring lack of a bounty program for systems beyond iOS. The company in the past has also faced criticism for low payouts for valuable bugs—though payouts have since increased.
The bar, however, “is set pretty high in terms of deliverables,” Jamf’s principal security researcher, Patrick Wardle, told ZDNet. So if this was your get rich quick scheme, well, good luck.