Apple bug bounty program now open to public with $1M top payout

In a major shift of policy, the exclusive Apple bug bounty program has been opened up to let the public participate. The Silicon Valley giant made this announcement via its website. Of note are numerous things, but the most interesting is that Apple has made its top payout a staggering $1 million. To encourage healthy competition and ensure bugs are found in a timely fashion, it would make sense that Apple would create such a massive financial incentive. Previous to this announcement, you needed an invitation from Apple to take part in the bug bounty program.

There is a caveat, however, as the $1 million can be obtained only by uncovering a “zero-click remote chain with full kernel execution and persistence, including kernel PAC bypass, on latest shipping hardware.” Besides this top reward, the bug bounty payouts range from $25,000 to $500,000.

Flickr / Thierry Ehrmann

There are strict eligibility requirements for this program, however, and the requirements are quoted below:

In order to be eligible for an Apple Security Bounty, the issue must occur on the latest publicly available versions of iOS, iPadOS, macOS, tvOS, or watchOS with a standard configuration and, where relevant, on the latest publicly available hardware. These eligibility rules are meant to protect customers until an update is available, ensure Apple can quickly verify reports and create necessary updates, and properly reward those doing original research.

Additionally, according to the announcement, researchers must:

  • Be the first party to report the issue to Apple Product Security.
  • Provide a clear report, which includes a working exploit.
  • Not disclose the issue publicly before Apple releases the security advisory for the report.

Participants in the Apple bug bounty program have the opportunity to obtain an additional 50 percent bonus to their bug bounty payout. If the bug discovered is previously unknown to Apple and is specifically found in particular developer betas and public betas (including regressions), the bug hunter can gain the bonus.

The Apple bug bounty program and similar programs are a win-win for white hats and users of Apple products. So, what are you waiting for? Get out there and find some bugs!