Apple today officially opened its bug bounty program for its different systems and for all security researchers. Last August, the company had announced the expansion of the program, but since then only invited people could participate (and report bugs only from iOS).
Thus, from now on, any security researcher who finds any vulnerability in the iOS, at the iPadOS, at the macOS, at the watchOS, at the tvOS and even not iCloud You are eligible to receive a cash payment when you inform Apple (learn how to report a security or privacy vulnerability here).
In addition, Ma also increased the maximum reward value from $ 200,000 to $ 1,500,000 depending on the complexity / severity of the exploited failure. Of course, to receive the payment you need to be within a few parameters, which were posted on the program website:
- Be the first to report and describe the bug (s) in detail.
- Inform the prerequisites and steps to get the system infected.
- Demonstrate how to get to the bug that is being reported.
- Point out enough information for Apple to reproduce the bug (s).
Initially, Ma pay $ 1,000,000 researcher who discovers a persistent failure of the source code of the kernel that does not require user interaction (zero click) and with access by PAC; if this is discovered during the testing phase of a software, the company will offer a 50% bonus This is why, if the bug is discovered in beta, the company may be able to fix it before the software goes public.
Apple also pay a 50% bonus for so-called “Return errors”, which are recurring bugs in the company's systems. However, if one of these possible attacks involves more than one type of failure, the researcher will have to demonstrate the full attack (including all bugs) and not just the final vulnerability if they want to earn the maximum reward.
All documents were released by Ma's head of engineering and architecture security, Ivan Krsti:
As we reported, the Cupertino giant's program will also make iPhones available from next year for security researchers working on the program.
Still thinking about the safety of users, Ma released yesterday (19/12) a large document about the safety and security tools present in all its products, systems and services.