Apple vastly expands bug bounty program covers all operating systems, payouts up to $1M

Apple has confirmed at the Black Hat conference,  the bug bounty system has been expanded to cover Apple’s other operating systems.

Before that, Apple has restricted its bug bounty program to iOS and limited those who can participate in it. One of the first big changes announced today by Apple’s head of security engineering and architecture Ivan Krstic, is that the program will be opening up to include all of Apple’s platforms, even macOS and watchOS.

Going further, the expanded program will be open to all security researchers come this fall and Apple also shared a list of some of the new payouts which will go up to $1 million. The original iOS bounty program maxed out at a $200,000 payout.

During the conference, Apple provided a list of maximum possible payouts for finding issues, scaling with the difficulty of the attack.

  • Bounties for finding bugs that allow Lock screen bypass or unauthorized access to iCloud pay out $100,000.
  • Discovering vulnerabilities that could allow an attack via a user-installed app or network attacks pay up to $250k, while uncovering bugs that would allow network attacks with no user interaction pay up to $1 million.
  • That top payout is reserved for discovering a zero-click kernel code execution with persistence.
  • Furthermore, if a researcher finds a vulnerability in a pre-release beta build that is reported to Apple ahead of its public release, they stand to earn a bonus of up to 50% on top.

Apple also detailed its new iOS Security Research Device program. It will be launching next year and will also be open to all, as long as applicants have a “track record of high-quality systems security research…”

This is will be set up with permissions to provide more access to the inner workings of iOS, a move which could help increase the number of issues caught before they appear in beta or public-release software.