Apple on Friday announced that the company has officially opened its bug bounty program to all security researchers. This follow announcements at this year’s Black Hat security conference in Las Vegas that Apple would be expanding the program later in the year.
Prior to this, the program was invitation-based and non-iOS devices were not included in the reward system. Via Friday’s announcement, any security researcher who locates bugs in iOS, macOS, tvOS, watchOS, or iCloud will be eligible to receive a cash payout for disclosing the vulnerability to Apple.
Apple has also increased the maximum size of the bounty from $200,000 per exploit to $1 million depending on the nature of the security flaw. A zero-click kernel code execution with persistence will earn the maximum amount.
Apple has also stated that it will add a 50 percent bonus on top of the standard payout for bugs located in beta software. It is also offering this bonus for “regression bugs” – or bugs that Apple has patched in the past but have resurfaced in a later version of the software.
When submitting reports, researchers must include a detailed description of the issue, an explanation of the state of the system when the exploit works, and enough information for Apple to reliably reproduce the issue.
For 2020, Apple has stated that it plans to outfit better and trusted security researchers and hackers with “dev” iPhones that offer deeper access to the underlying software and operating system. This, in turn, will make it easier to locate vulnerabilities.
Stay tuned for additional details as they become available.