Apple has officially activated the program announced in the summer for every researcher who works in the field of IT security. Their task will be to find bugs in all the software platforms of the Cupertino company. In exchange for cash rewards – the amount varies according to the severity of the discovered bug.
The differences from the bug bounty program that Apple has carried out so far lie in the words “every researcher” and “all platforms”. Previously, the access was only for a number of users that receive an explicit invitation and the relevant bugs were only those related to iOS. Now everyone can participate. And the bugs examined also concern iPadOS, macOS, tvOS, watchOS and iCloud.
Apple Security Bounty
The maximum reward amount was also extended from $ 200,000 to $1,500,000. To try to get it, the interested parties will have to respect some rules. First of all that of providing Apple with a report containing a detailed description of the bug. An indication of any prerequisites necessary for the emergence of the problem. An exploit that allows to demonstrate the existence and all the information necessary for Apple to replicate it. Furthermore, the discovery must not be made public before an official intervention by the Cupertino house. It almost always coincides with the release of the corrective patch.
Among the bugs that allow you to receive the highest rewards include those that can be considered unpublished, operating on multiple platforms, encountered with the latest hardware and software components, and that can have an impact on sensitive data (contacts, emails, messages, notes, photos, etc.). The most paid discoveries ever are related to vulnerabilities that allow performing network attacks without user interaction (zero-click bug).
The rewards for each bug are also having a 50% bonus increase if the bug has been identified in a beta. Thus avoiding the spread to the wider public that will use the stable version. Or if it is a so-called regression bug, or a bug previously corrected by Apple. But which resurfaces in a subsequent software release. Interested users can find the complete regulation of the program in this link.