Apple Opens Its Invite-Only Bug Bounty Program
Apple launching a bug bounty program for the bug hunters to show there skills into the field and get rewards for it. The Researchers can report vulnerability in any product of the Apple like iOS, macOS, watchOS, tvOS, iPadOS, and iCloud to the company.
Since its launch three years ago, Apple's bug bounty program was open only for selected security researchers based on invitation and was only rewarded for reporting vulnerabilities in the iOS mobile operating system.
However, speaking at a hacking conference in August this year, Ivan Krstić, head of Apple Security Engineering and Architecture at Apple, announced the company's upcoming extended bug bounty program which included three main highlights:
an enormous increase in the maximum reward from $200,000 to $1.5 million,
accepting bug reports for all of its operating systems and latest hardware,
opening the program for all researchers.
Even after submitting a valid security bug, researchers need to follow some basic eligibility rules for receiving rewards, which includes reporting details directly to the Apple security team without revealing anything to the public until the company releases a patch and providing a clear report with a working exploit.
As shown in the bug bounty payout chart above, $1 million will be awarded only to those who submit a severe deadly zero-clickable kernel code execution exploit that could enable complete, persistent control of a targeted device.
What's more in it?
On top of its maximum reward of $1 million, Apple will also offer a 50% bonus to those who find and report vulnerabilities in its pre-release software (beta version) before its public release—bringing its maximum reward to $1.5 million.
Besides this, Apple will now also pay an additional 50% bonus on the eligible reward amount for reporting a 'regression' vulnerability that the company patched in previous versions of its software, but reintroduced 'mistakenly' in a developer beta or public beta release.
Apple Security Bounty program aims to also encourage hackers who either publicly disclose security vulnerabilities they discovered in Apple products or sell it to private vendors like Zerodium, Cellebrite, and Grayshift, who deal in zero-day exploits.
Since its launch three years ago, Apple's bug bounty program was open only for selected security researchers based on invitation and was only rewarded for reporting vulnerabilities in the iOS mobile operating system.
However, speaking at a hacking conference in August this year, Ivan Krstić, head of Apple Security Engineering and Architecture at Apple, announced the company's upcoming extended bug bounty program which included three main highlights:
an enormous increase in the maximum reward from $200,000 to $1.5 million,
accepting bug reports for all of its operating systems and latest hardware,
opening the program for all researchers.
Even after submitting a valid security bug, researchers need to follow some basic eligibility rules for receiving rewards, which includes reporting details directly to the Apple security team without revealing anything to the public until the company releases a patch and providing a clear report with a working exploit.
As shown in the bug bounty payout chart above, $1 million will be awarded only to those who submit a severe deadly zero-clickable kernel code execution exploit that could enable complete, persistent control of a targeted device.
What's more in it?
On top of its maximum reward of $1 million, Apple will also offer a 50% bonus to those who find and report vulnerabilities in its pre-release software (beta version) before its public release—bringing its maximum reward to $1.5 million.
Besides this, Apple will now also pay an additional 50% bonus on the eligible reward amount for reporting a 'regression' vulnerability that the company patched in previous versions of its software, but reintroduced 'mistakenly' in a developer beta or public beta release.
Apple Security Bounty program aims to also encourage hackers who either publicly disclose security vulnerabilities they discovered in Apple products or sell it to private vendors like Zerodium, Cellebrite, and Grayshift, who deal in zero-day exploits.
Comments
Post a Comment