The Apple just dediced to up the ante by formally opening its extended bug bounty program to all researchers, accepting vulnerability reports for bug pertaining to iOS, iPadOS, macOS, tvOS, watchOS, and iCloud.
Apple is also increasing its maximum bug bounty reward from $200,000 to $1,500,000, factored by the exploit chain’s complexity and severity.Apple published a new page on its website detailing the bug bounty program’s rules, along with a breakdown of the rewards researchers stand to earn per the exploits they submit.
The rules are pretty strict and set a high bar for earning the top rewards. To be eligible for the top prizes and various bonuses, researchers must submit clear reports, which include the following:
- A detailed description of the issues being reported.
- Any prerequisites and steps to get the system to an impacted state.
- A reasonably reliable exploit for the issue being reported.
- Enough information for Apple to be able to reasonably reproduce the issue.
The conditions for the top $1.5 million reward is also quite high. To land an amount as high as that, the bugs found have to be new, it has to affect multiple platforms, has to work on latest hardware and software and impact sensitive components.
Vulnerabilities found in beta releases are also highly-prized. Apple says it will add a 50% bonus on top of the regular payout for any bug in reported in a beta release.
The reason why bugs in beta releases are rewarded highly is because these reports allow Apple to fix major security flaws before they reach production versions of its software, where they’ll impact billions of devices.
Apple will also pay a 50% bonus for regression bugs aka bugs that Apple previously patched in older versions of its software, but they’ve been accidentally reintroduced in the code at a later point.