Apple announces major changes to its bug bounty program, including higher rewards

Pierluigi Paganini August 09, 2019

At the Blackhat cybersecurity conference, Apple has announced a few major changes to its bug bounty program that will be open to any researcher.

The most striking change is related to the payout for the rewards, the
maximum reward passed from $200,000 to $1 million. This is the biggest payout for a bug bounty program operated by a tech company.

Apple will pay up to $1 million reward for a zero-click kernel code execution vulnerability zero user clicks,  that could be exploited by an attacker to take over a device.

On top of the maximum reward of $1 million, the tech giant announced it will also offer a supplementary bonus of 50% to those experts who report security issues in beta version software before its public release.

Another novelty is represented by the extent of the bug bounty program to all the operating systems developed by the company, including macOS, watchOS, tvOS, iPadOS, and iCloud.

Until now Apple’s bug bounty program only covered vulnerabilities in the iOS mobile operating system.

The tech giant also announced that starting from the next year will also provide pre-jailbroken iPhones to a selected number of trusted white-hat hackers under its iOS Security Research Device Program. 

“What makes these iPhones special? One source with knowledge of the Apple announcement said they would essentially be “dev devices.” Think of them as iPhones that allow the user to do a lot more than they could on a traditionally locked-down iPhone. For instance, it should be possible to probe pieces of the Apple operating system that aren’t easily accessible on a commercial iPhone.” wrote Thomas Brewster on Forbes. “In particular, the special devices could allow hackers to stop the processor and inspect memory for vulnerabilities. This would allow them to see what happens at the code level when they attempt an attack on iOS code.”

Apple’s decision to extend the bug bounty program and increase the rewards is very important. Let’s consider that since now the best way to earn money for a bug hunter was to sell the exploits to zero-day broker firms like Zerodium. These companies historically offered greater rewards for working zero-day exploits for popular software like iOS and the Tor Browser.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – bug bounty, Apple)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment