Appleâ€™s products have a reputation for being pretty secure, but theyâ€™re not perfect. Now, if youâ€™re a great security researcher or white-hat hackerâ€”and you want to go after other Apple devices and services beyond just iOS and iCloudâ€”you can earn a lot of cash.
Ivan Krstic, Appleâ€™s head of security engineering and architecture, announced at this yearâ€™s Black Hat convention that Apple is expanding its bug bounty program to include all of its major platforms. Better yet, Apple is increasing the payouts for bugs.
Appleâ€™s bug bounty program now covers iOS, macOS, watchOS, tvOS, iPadOS, and iCloud, as well as all devices that run on these operating systems. The maximum payout amount for finding a bug has been increased to $1 million, which is a big leap from the previous $200,000 maximum. Examples of high-value bug disclosure rewards include:
- Lock screen bypass: $100,000
- User data extraction: $250,000
- Unauthorized access to high-value user data: $100,000
- Kernel code execution: $150,000
- CPU side-channel attack on high-value data: $250,000
- One-click unauthorized access to high-value user data: $150,000
- On-click kernel code execution: $250,000
- Zero-click radio to kernel with physical proximity network attack: $250,000
- Zero click access to high-value user data: $500,000
- Persistent full-chain kernel code execution attack without user interaction: $1,000,000
In addition to these figures, bug finders can receive a bonus of up to 50 percent for uncovering vulnerabilities in pre-release builds.
Why is Apple bumping up its payouts? Aside from encouraging more security researchers to investigate Appleâ€™s products, it also makes it more lucrative for said researchers to disclose their vulnerabilities to Apple, rather than sell them to hacker groups who would want to take advantage of the security flaws. (One hopes.)
Those interested in Appleâ€™s bug program should head to Appleâ€™s official support page for security and privacy vulnerabilities, which includes instructions for bug disclosure and more information on the bounty program in general.