Rumor had it that Apple was planning on launching a Mac bug bounty program, and it turns out that is indeed the case.
Apple this week is officially making some big changes to its bug bounty program. The changes were announced by Apple’s head of security engineering, Ivan Krstić, at this year’s Black Hat conference in Las Vegas, Nevada. To start, Apple is expanding the bug bounty program to all researchers later this year.
Next, the bug country program is opening up to support macOS. And, finally, the payouts are getting bigger, too. Previously, the cap was at $200,000 per exploit. Now, Apple will pay up to $1 million depending on the exploit discovered.
https://twitter.com/mikebdotorg/status/1159557138580004864
On top of that, researchers who discover a vulnerability or vulnerabilities before software is launched to the public, can qualify for up to 50% bonus payout on top of the stock bug bounty amount.
Additionally, Apple will be moving forward with handing out researchers to development iPhones. This will provide researchers with deeper access to the operating system and software, which should make it easier for bugs to be discovered. The developer iPhones are part of the new iOS Security Research Device Program, which Apple will launch sometime next year.
Up until this point, the bug bounty program was only available for iOS devices. Expanding to Macs is a big move for Apple, and handing out dev iPhones that provide deeper access to the software and OS should help researchers discover even more issues moving forward. Of course, offering higher payouts for discovering and disclosing those bugs will surely help, too.