Apple expands bug bounty program, opens it to all researchers, raises rewards

Three years ago at the Black Hat conference, Apple announced its first bug bounty program, which was invite-only and limited to iOS.

At this year’s edition of the con, Ivan Krstić, Apple’s head of security engineering and architecture, announced changes to it.

Wider scope, higher bug bounties

Starting this fall, the program will be open to all researchers.

The bug bounty program has been widened to include the following “targets”: macOS, iCloud, tvOS, watchOS and iPadOS (an upcoming mobile OS for iPads).

Maximum payouts for specific bugs are as follows:

  • Unauthorized access to iCloud account data on Apple servers – $100,000
  • Attack via physical access
    • Lock screen bypass – $100,000
    • User data extraction – $250,000
  • Attack via user-installed app
    • Unauthorized access to high-value user data – $100,000
    • Kernel code execution – $150,000
    • CPU side channel attack on high-value user data – $250,000
  • Network attack requiring user interaction
    • One-click unauthorized access to high-value user data – $150,000
    • One-click kernel code execution – $250,000
  • Network attack with no user interaction
    • Zero-click radio to kernel with physical proximity – $250,000
    • Zero-click access to high-value user data – $500,000
    • Zero-click kernel code execution with persistence – $1,000,000

If any of these bugs is found in pre-release builds, researchers can also earn a hefty bonus (up to 50% of the reward amount).

The iOS Security Research Device program

In addition to all this, Krstić has announced the iOS Security Research Device program: a security research program that will be limited to a vetted group of participants.

Applications are open, but Apple looks for researchers that have a track record of high-quality system security research on any platform.

Participants will receive special iPhones to tinker with and hack – devices “with ssh, a root shell, and advanced debug capabilities.”


Subscribe to the Help Net Security breaking news e-mail alerts:


Don't miss