Apple has announced the expansion of the scope and the payouts of its security bounty program. After first making the program invite-only, it now encourages all security researchers to participate. What’s more, researchers that discover heretofore unknown exploits in Apple operating systems and services can earn up to $1.5 million, a huge bump from the previous $200,000 cap.
Earlier this year Apple’s head of security engineering Ivan Krstić spoke at the Black Hat conference in Las Vegas, Nevada to sketch out the company’s plans to improve its security bounty program. At the time, Krstić noted that Apple would expand access and payouts. By expanding the reach and payout of the program, Apple may help curb the likelihood that any exploits which are discovered will fall into the wrong hands.
In order to be eligible, the issue needs to be on the latest version of Apple’s release operating systems with a standard configuration and, where relevant, on publicly available hardware. Researchers need to be the first party to report the issue to Apple Product security and must meet other requirements as well.
Bounties fall into five broad categories: iCloud, device attack via physical access, device attack via user-installed app, network attack with user interaction, and network attack without user interaction, with maximum payouts ranging from $100,000 for an iCloud exploit to $1 million for a “zero-click kernel code execution with persistence and kernel PAC bypass.”
A payout of up to $1.5 million would be possible because Apple also offers a 50% bonus for “issues that are unknown to Apple and are unique to designated developer betas and public betas, including regressions.”
Apple noted that in addition to the financial reward, it offers public recognition to researchers who submit valid reports. It also will match donations of the bounty payments it makes to qualifying charities. More details are available on Apple’s developer site.
Will Apple’s more generous terms help it to tighten its operating system security even more, or do you think this is all for show? Sound off in the comments.