Apple opens security bug bounty to all researchers
A revamped Apple Security Bounty sees the company setting out much higher rewards for anyone finding bugs in its software, especially in beta releases. It also now covers all Apple operating systems, and no longer requires an invitation.
While Apple has had such a program since 2016, it was limited in scope and would pay out a maximum of $200,000. Now that ceiling is generally $1 million, but Apple will also pay a further 50% if the bug is found in beta software and so can be fixed before public release.
"Bounty payments are determined by the level of access or execution obtained by the reported issue, modified by the quality of the report," says Apple on its developer website. "Issues that are unique to designated developer or public betas, including regressions, can result in a 50% additional bonus if the issues were previously unknown to Apple."
As well as the bounty, Apple will publicly acknowledge the discoverer of the bug and says that if the reward is donated to a qualifying charity, it will match that donation. The qualifying charities are those listed on the Benevity Causes website.
The rewards in the newly expanded Apple Security Bounty are significant for more than just their size. Apple has previously been seen to offer below industry rates, and also to make bug reporting unnecessarily hard. Now it exceeds both Microsoft's maximum and Google's, too.
Google, Microsoft and Apple all offer a sliding scale of rewards depending on the type and severity of bug discovered. Apple's now starts at $25,000 for several different categories of bugs, including what it calls "limited unauthorized control of an iCloud account."
As well as the sums offered, the new Apple Security Bounty also broadens the scope of the program. Previously, Apple would pay out up to a maximum of $200,000 specifically for bugs discovered in iOS. Now the bounty covers iOS, iPadOS, macOS, watchOS and tvOS.
To earn a bounty, you obviously have to have discovered a bug, but then regardless of the severity of it, there are further conditions.
- Only the first person to report the bug gets the bounty
- The report must be clear and specific enough for Apple to reproduce the problem
- The bug cannot be disclosed publicly until Apple has resolved it
Typically that last means Apple releasing an update that fixes the problem, but it can also just be when Apple issues a security advisory warning people of the bug.