Apple has just updated the rules of its bug bounty program by announcing a few major changes during a briefing at the annual Black Hat security conference yesterday.
One of the most attractive updates is…
Apple has enormously increased the maximum reward for its bug bounty program from $200,000 to $1 million—that’s by far the biggest bug bounty offered by any major tech company for reporting vulnerabilities in its products.
The $1 million payouts will be rewarded for a severe deadly exploit—a zero-click kernel code execution vulnerability that enables complete, persistent control of a device’s kernel. Less severe exploits will qualify for smaller payouts.
From now onwards, Apple’s bug bounty program is not just applicable for finding security vulnerabilities in the iOS mobile operating system, but also covers all of its operating systems, including macOS, watchOS, tvOS, iPadOS, and iCloud.
Since its inception around three years ago, Apple’s bug bounty program only rewards security researchers and bug bounty hunters for discovering vulnerabilities in the iOS mobile operating system, which will continue until the expanded program comes into effect this fall.
Are you excited? Here’s a special iPhone that can be yours…
From next year, Apple will also provide pre-jailbroken iPhones to a selection of trusted security researchers as part of the iOS Security Research Device Program. The new program was first reported by Forbes.
These devices will have far deeper access than iPhones available to everyday users, including access to ssh, root shell, and advanced debug capabilities, allowing researchers to hunt for vulnerabilities at the secure shell level.
Though anyone can apply to receive one of these special iPhones from Apple, the company will hand out only a limited number of these devices and only to qualified researchers.
Not compelling enough? Bonus rewards are also waiting for you…
On top of its maximum reward of $1 million, Apple is also offering a 50% bonus to researchers who find and report security vulnerabilities in its pre-release software (beta version) before its public release—bringing its maximum reward to $1.5 million.
You can apply for Apple’s revised bug bounty program later this year, which will be open to all researchers, rather than a limited number of security experts approved by Apple.
The expansion and massive boost in the payout of Apple’s bug bounty program are likely to be welcomed by security researchers and bug bounty hunters who either publicly disclose vulnerabilities they discovered in Apple products or sell it to private vendors like Zerodium, Cellebrite, and Grayshift who deal in zero-day exploits, for profit.