Apple has formally opened its bug bounty program today to all security researchers, after announcing the move earlier this year in August at the Black Hat security conference in Las Vegas. The tech giant will pay white hat hackers that report security flaws in the iOS, macOS, watchOS, tvOS, iPadOS, and iCloud. On top of its maximum reward of $1 million, Apple will also offer a 50% bonus to those who find and report vulnerabilities in its pre-release software (beta version) before its public release—bringing its maximum reward to $1.5 million.
The reason why bugs in beta releases are highly prized is that these bug reports allow Apple to fix major security flaws before they reach production versions of its software, where they’ll impact billions of devices.
Vulnerabilities that allow for zero-click or one-click attacks are the ones that will bring researchers top money; however, Apple demands a full exploit chain for these types of submissions.
Since its launch three years ago, Apple’s bug bounty program was open only for selected security researchers based on invitation and was only rewarded for reporting vulnerabilities in the iOS mobile operating system. In August, however, at the Blackhat cybersecurity conference, Apple announced a few major changes to its bug bounty program, including the opening to any researcher.
BUG-BOUNTY OFFICIAL RULES
To make it official, Apple has also published a new page on its website detailing the bug bounty program’s rules, along with a breakdown of the rewards researchers stand to earn per the exploits they submit.
The rules are rather strict, and they set a high bar for earning the top rewards. To be qualified for the top prizes and different bonuses, researchers must submit clear reports. These rules include:
- A detailed description of the issues reported.
- Any prerequisites and steps to get the system to an impacted state.
- A reasonably reliable exploit for the issue reported.
- Enough information for Apple to be able to reasonably reproduce the issue.
To claim a full reward, bug hunters must be the first to report an issue and to provide a clear report with a working exploit. Also not to disclose the problem before Apple issues a security advisory for the bug in question. Bug hunters are also not allowed to “hack” any account, device or service other than their own.
Apple also confirmed that it will give security researchers special iPhones. These special iPhones will make it easier for them to find weaknesses in their smartphones in a new program called the “iOS Security Research Device Program”. The phone will have special features and will be available to researchers in 2020.
Secure Your Organization’s Mind with Securemind.se