Apple opens public bug bounty program, publishes official rules
Apple has formally opened its bug bounty program today to all security researchers, after announcing the move earlier this year in August at the Black Hat security conference in Las Vegas.
Until today, Apple ran an invitation-based bug bounty program for selected security researchers only and was accepting only iOS security bugs.
Starting today, the company will accept vulnerability reports for a much wider spectrum of products that also includes as iPadOS, macOS, tvOS, watchOS, and iCloud.
In addition, the company has also increased its maximum bug bounty reward from $200,000 to $1,500,000, depending on the exploit chain’s complexity and severity.
Apple publishes official rules
To make it official, Apple has also published a new page on its website today detailing the bug bounty program’s rules, along with a breakdown of the rewards researchers stand to earn per the exploits they submit.
The rules are pretty strict and set a high bar for earning the top rewards. To be eligible for the top prizes and various bonuses, researchers must submit clear reports. These include:
- A detailed description of the issues being reported.
- Any prerequisites and steps to get the system to an impacted state.
- A reasonably reliable exploit for the issue being reported.
- Enough information for Apple to be able to reasonably reproduce the issue.
Security bugs that are novel, affect multiple platforms, work on the latest hardware and software, and impact sensitive components will give researchers a bigger chance at netting the top $1.5 million reward.
Vulnerabilities found in beta releases are also highly-prized. Apple says it will add a 50% bonus on top of the regular payout for any bug in reported in a beta release.
The reason why bugs in beta releases are highly prized is because these bug reports allow Apple to fix major security flaws before they reach production versions of its software, where they’ll impact billions of devices.
Apple will also pay a 50% bonus for regression bugs. These are bugs that Apple previously patched in older versions of its software, but they’ve been accidentally reintroduced in the code at a later point.
Vulnerabilities that allow for zero-click or one-click attacks are the ones that will bring researchers top money; however, Apple demands a full exploit chain for these types of submissions.
If one of these attacks uses three bugs chained together, the researcher will have to submit a full exploit chain that incorporates all the three bugs, and not only one — if they want to earn the maximum reward.
“As a few have noted, the bar is set pretty high in terms of deliverables,” Patrick Wardle, Principal Security Researcher at Jamf and an Apple security expert, told ZDNet today.
“One of the biggest challenges of a bug bounty program is filtering out all the subpar reports, and knowing what is a real/valid bug and the impact said bug could have,” Wardle said.
“So requiring an exploit, puts the onus on the researcher yes, but also then will help Apple quickly and fully understand which bugs should be prioritized and thus fixed (first).”
Below is the video of Ivan Krstić, Apple’s head of security, announcing Apple’s public bug bounty program at Black Hat over the summer (at 38:05). Krstić presentation files are available for download here. Below the video is an image of payouts Apple is willing to provide to security researchers [source].