Apple has opened its bug bounty program to all security researchers. Previously, the company’s bug bounty program was only available to selected security researchers via invitation.
The bug bounty program will reward anyone who will report vulnerabilities found in Apple’s iOS, macOS, watchOS, tvOS, iPadOS, and iCloud. Security researchers and hackers can receive cash payouts beginning from USD 25,000 on iCloud, to a maximum amount of USD 1 million for a zero-click kernel code execution with persistence and kernel PAC bypass. To be eligible for an Apple Security Bounty, the issue must occur on the latest publicly available version of iOS, macOS, watchOS, tvOS, iPadOS, and iCloud on the latest available hardware. The researchers must also be the first to report to Apple Product Security, provide a clear report with a working exploit, not disclose the issue publicly before Apple release a security advisory and update.
Apple will also give out an additional 50% bonus to those who can find bugs in the beta version of its software before its public release. Additionally, there will also be a 50% bonus to those who can report a “regressions of previously resolved issues, including those with published advisories, that have been reintroduced in a developer beta or public beta release”.
To see the Bounty Categories in its entirety, check Apple’s dedicated Bug Bounty Program page here.