December 20, 2019

As first promised back in August, Apple’s bug bounty program is now open to all.

It was previously an invitation-only initiative, which attracted criticism as it incentivized non-invitees to sell vulnerability details to companies and governments who would exploit them to gain unauthorized access to Apple devices…

Apple had previously increased the maximum payouts after complaints about low rewards making it more likely that even invitees would be tempted to sell security vulnerabilities on the black market for much higher sums.

An Apple Security Bounty microsite has all the details, including eligibility.

In order to be eligible for an Apple Security Bounty, the issue must occur on the latest publicly available versions of iOS, iPadOS, macOS, tvOS, or watchOS with a standard configuration and, where relevant, on the latest publicly available hardware. These eligibility rules are meant to protect customers until an update is available, ensure Apple can quickly verify reports and create necessary updates, and properly reward those doing original research. Researchers must:

  • Be the first party to report the issue to Apple Product Security.
  • Provide a clear report, which includes a working exploit (detailed below).
  • Not disclose the issue publicly before Apple releases the security advisory for the report. (Generally, the advisory is released along with the associated update to resolve the issue).

Issues that are unknown to Apple and are unique to designated developer betas and public betas, including regressions, can result in a 50% bonus payment. Qualifying issues include:

  • Security issues introduced in certain designated developer beta or public beta releases, as noted on this page when available. Not all developer or public betas are eligible for this additional bonus.
  • Regressions of previously resolved issues, including those with published advisories, that have been reintroduced in a developer beta or public beta release, as noted on this page when available.

Apple has published a rate-card of maximum payouts, which range from $100k to $1M – though the 50% beta bonus means that the maximum payout is $1.5M. Apple will also pay the same amount again to a charity.

Topic Maximum Payout
iCloud Unauthorized access to iCloud account data on Apple Servers $100,000
Device attack via physical access Lock screen bypass $100,000
User data extraction $250,000
Device attack via user-installed app Unauthorized access to sensitive data** $100,000
Kernel code execution $150,000
CPU side channel attack $250,000
Network attack with user interaction One-click unauthorized access to sensitive data** $150,000
One-click kernel code execution $250,000
Network attack without user interaction Zero-click radio to kernel with physical proximity $250,000
Zero-click unauthorized access to sensitive data** $500,000
Zero-click kernel code execution with persistence and kernel PAC bypass $1,000,000

To receive the maximum payout from Apple’s bug bounty program, you’ll need to include a working exploit, with a lower sum offered otherwise.

The goal of the Apple Security Bounty is to protect customers through understanding both vulnerabilities and their exploitation techniques. Reports that include a basic proof of concept instead of a working exploit are eligible to receive no more than 50% of the maximum payout amount. Reports lacking necessary information to enable Apple to efficiently reproduce the issue will result in a significantly reduced bounty payment, if accepted at all.

A separate webpage with sample payouts goes into more detail.

Apple yesterday published its 2019 Platform Security guide which detailed the security measures the company applies to its devices and services.

FTC: We use income earning auto affiliate links. More.

Pocketalk translation device

Photo: Shutterstock


Check out 9to5Mac on YouTube for more Apple news:

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

About the Author

Ben Lovejoy's favorite gear

Powered by WordPress.com VIP