Apple recently confirmed the relaunch of its previously closed, public bug bounty program. The company made the announcement earlier this year at the Black Hat security conference in Las Vegas.
Till now, Apple organized an invitation-based bug bounty program for selected researchers and accepted only iOS related bugs. From now, the company accepts vulnerability reports from all security researchers and for a range of products that include iPadOS, tvOS, watchOS, macOS, and iCloud.
Apple published an official announcement detailing the rules of the bug bounty program, along with a breakdown of the rewards. The company also increased its maximum reward from US$ 200,000 to US$ 1,500,000, based on the exploit complexity and severity.
“As part of Apple’s commitment to security, we reward researchers who share with us critical issues and the techniques used to exploit them. We make it a priority to resolve confirmed issues as quickly as possible in order to best protect customers. Apple offers public recognition for those who submit valid reports and will match donations of the bounty payment to qualifying charities,” Apple said in a statement.
In order to earn maximum rewards and other bonuses, researchers must submit clear bug reports, which include:
- A detailed description of the issues being reported.
- Any prerequisites and steps to get the system to an impacted state.
- A reasonably reliable exploit for the issue being reported.
- Enough information for Apple to be able to reasonably reproduce the issue.
Apple also mentioned a detailed set of bounty categories ranging from a minimum bounty of US$ 25,000 to a maximum of US$ 1,000,000.
Apple isn’t the only company to offer huge bug bounty rewards. Earlier this year, Google announced the increase in its bug bounty rewards. The company raised bounties for Chrome and Google Play related bugs. Google launched the vulnerability rewards program in 2010 and provides cash rewards to security researchers who report vulnerabilities in Google code. The company stated that they’ve received around 8,500 vulnerability reports and paid rewards over US$5 million (£4 million).