Apple has officially opened its historically private bug-bounty program to the public, while boosting its top payout to $1 million.
Bounty hunters seeking that $1 million will need to provide a working exploit for a zero-click remote chain with full kernel execution and persistence on Apple’s latest shipping hardware. The exploit will need to include a bypass for Apple’s kernel pointer authentication code (PAC), which is a cryptographic signature mechanism.
Other payouts range from $25,000 to $500,000 across a range of products, including Macs, iPhone and iPad, and Apple TV. Vulnerability types encompass those that enable lock-screen bypasses; unauthorized iCloud account access; attacks that require physical access to the device; and network-based attacks with or without user interaction that result in information exfiltration, code execution and more (these include attacks carried out via both physical and wireless/Wi-Fi/Bluetooth networks).
Apple is also offering payouts for vulnerabilities that can be exploited via malicious applications. These include bugs that would allow an app to access sensitive data; execute kernel-level code; or carry out CPU side-channel attacks.
Importantly, Apple Pay is not in scope.
“In order to be eligible for an Apple Security Bounty, the issue must occur on the latest publicly available versions of iOS, iPadOS, macOS, tvOS or watchOS with a standard configuration and, where relevant, on the latest publicly available hardware,” Apple said in its final published eligibility rules, issued on Thursday.
In addition, developer betas and public betas are eligible for a 50 percent payout for the above-mentioned bugs.
Bug hunters reacted to the $1 million reward news with a mix of positivity and regret:
https://twitter.com/MalwareTechBlog/status/1207862438416150532
To claim a full reward, bug hunters must be the first to report an issue, provide a clear report with a working exploit (proofs of concept will garner a half-bounty) and not disclose the problem before Apple issues a security advisory for the bug in question. Bug hunters are also not allowed to “hack” any account, device or service other than their own.
According to the bounty page, “Apple is particularly interested in issues that: Affect multiple platforms; impact the latest publicly available hardware and software; are unique to newly added features or code in designated developer betas or public betas, including regressions, as noted on this page when available; impact sensitive components; [and] are novel.”
Apple first announced that it would make its bug-bounty program public back in August, at Black Hat 2019. The move commanded attention thanks to the tech giant promising bigger payouts and an expanded list of in-scope products for its public endeavor. Its existing program has been invite-only, with rewards only as high as $200,000 on limited platforms.
Apple also at the time confirmed a report that it will give security researchers special iPhones that will make it easier for them to find weaknesses in its smartphone, in a new program called “iOS Security Research Device Program.” The phone will have special features – such as advanced debug capabilities – and will be available to researchers in 2020.