Apple has opened up its bug bounty program to the general research community, offering payments of as much as $1.5 million for a small number of serious issues in some beta releases.
Like most bounty programs, Apple’s new initiative has a number of restrictions and requires researchers to report their discoveries directly to the company and not disclose them publicly before Apple publishes an advisory. The program applies to vulnerabilities in the current version of Apple’s operating systems, including macOS, iPadOS, iOS, tvOS and watchOS, as well as some public and developer beta releases. Researchers who find security vulnerabilities in those beta releases can get as much as a 50 percent bonus payment on top of the normal bounty.
The low end of payments in Apple’s new program is close to the high end in many other programs, at $100,000 for a lock screen bypass bug or unauthorized access to a target iCloud account, for example. The top payment of $1 million is reserved for a vulnerability and full exploit that results in a zero-click kernel code execution that achieves persistence and a bypass of the pointer authentication code (PAC) protection in the ARM processor. Bounties of $500,000 are available for zero-click unauthorized access to sensitive data, such as contacts, messages, emails, and photos.
“Bounty payments are determined by the level of access or execution achieved by the reported issue, modified by the quality of the report. A maximum amount is set for each category. The exact payment amounts are determined after review by Apple. All security issues with significant impact to users will be considered for Apple Security Bounty payment, even if they do not fit the published bounty categories. Apple Security Bounty payments are at Apple’s discretion,” Apple said in its announcement.
"Reports lacking necessary information to enable Apple to efficiently reproduce the issue will result in a significantly reduced bounty payment."
In order to qualify for a full bounty payment, a researcher has to be the first to report a vulnerability and can’t publish any information about the bug until Apple has published its own advisory. Researchers also need to provide a full working exploit chain for a vulnerability to qualify for a full payment.
“Bounty payments are determined by the level of access or execution achieved by the reported issue, modified by the quality of the report. A maximum amount is set for each category. The exact payment amounts are determined after review by Apple. All security issues with significant impact to users will be considered for Apple Security Bounty payment, even if they do not fit the published bounty categories. Apple Security Bounty payments are at Apple’s discretion,” Apple said.
“The goal of the Apple Security Bounty is to protect customers through understanding both vulnerabilities and their exploitation techniques. Reports that include a basic proof of concept instead of a working exploit are eligible to receive no more than 50% of the maximum payout amount. Reports lacking necessary information to enable Apple to efficiently reproduce the issue will result in a significantly reduced bounty payment, if accepted at all.”
The requirement for a full working exploit is somewhat unusual in the bug bounty world, but not unheard of. Some programs will ask researchers to submit a proof-of-concept and may offer a bonus payment for a full exploit. Developing a full exploit certainly increases the effort level for researchers, but it also helps Apple ensure that the reports it receives are high quality.
Apple has had a limited bug bounty program for several years, but it was invitation-only and had an even more restrictive set of requirements.