Apple previously announced that it would open its bug bounty program to the public later this year. Now, the company is fulfilling that promise by officially opening up Apple’s bug bounty program to all security researchers.
How to get maximum reward
In August, at the Black Hat security conference in Las Vegas, Apple first revealed intentions to open its bug bounty program to the public. Until now, Apple’s bug bounty program has been invitation-based, meaning it was open only to selected security researchers. Also, the program was limited to iOS only, and not other OS from Apple.
Now, along with opening it to the public, Apple is expanding the scope of its bug bounty program to cover more products, including iPadOS, macOS, tvOS, watchOS, and iCloud. Moreover, the company has also raised the maximum bug bounty reward to $1,500,000 from $200,000. The amount of the reward depends on the complexity and severity of the bug discovered.
Detailing the new bug bounty program and its rules, Apple published a new page on its website. The page lists the reward that a security researcher would earn on submitting a bug they have detected.
For instance, if the discovered bug is unique, impacts more than one Apple platform, affects the latest hardware and software, and impacts sensitive components, it will have more of a chance to get the top $1.5 million reward. Additionally, a researcher discovering a zero-click or one-click attack would also be eligible for the maximum reward.
Also, if a researcher discovers a bug in the beta release, it would increase the reward payout. According to Apple, finding a bug in a beta release would add a 50% bonus to the regular payout. A primary reason why bugs in the beta release are rated highly is because early detection allows Apple time to fix the bug before the final release of the phone.
Further, Apple’s bug bounty program will pay a 50% bonus for regression bugs. Regression bugs are those that Apple patched in earlier versions of the OS, but they reappear again at some point later on.
Apple’s bug bounty program: reporting requirements
According to Apple’s website, the reported bug “must occur on the latest publicly available versions of iOS, iPadOS, macOS, tvOS, or watchOS with a standard configuration and, where relevant, on the latest publicly available hardware.”
Researchers need to submit clear reports of their findings in order to be eligible for the bug bounty. “Reports lacking necessary information to enable Apple to efficiently reproduce the issue will result in a significantly reduced bounty payment,” Apple says.
As per Apple’s webpage, the report should include the following things:
- A detailed description of the bug that the researcher has discovered.
- Steps or prerequisites to get the system to an impacted state.
- Any reliable exploit for the reported bug.
- Include enough information for Apple researchers to reproduce the bug.
Also, to get the reward, the researcher, however, needs to submit a full exploit chain for such bugs. For instance, if an attack uses three bugs that are chained together, then the researcher would need to submit a full exploit chain, detailing all the three bugs.
The security researchers, who have seen the requirements for Apple’s bug bounty program, say that Apple has set the bar very high when it comes to reporting the bug.
“One of the biggest challenges of a bug bounty program is filtering out all the subpar reports, and knowing what is a real/valid bug and the impact said bug could have,” Principal Security Researcher at Jamf, Patrick Wardle, told ZDNet.
If you also plan to get bug bounty, then you will have to mail your findings to firstname.lastname@example.org. Apple says that all the reports need to be encrypted with the Apple Product Security PGP Key. Also, you should include system diagnosis reports, relevant videos and crash logs.
Bug bounty: is it needed?
Even though Apple’s operating system is regarded as being secure, there is always the need to make the OS even better, and, several recent instances have proved this. Recently, it was reported that hackers could lock users out of their iPhones if they didn’t update to iOS 13.3. Earlier, when the iPhone 11 was in pre-ordering stage, there were reports of iOS 13 security vulnerability out of the box.
A more serious security threat was revealed when Google researchers discovered a vulnerability in Apple iMessage. The researchers claimed that the vulnerability could allow hackers to remotely access iOS device files.
It is not just with Apple, rather vulnerabilities are there with almost every software. The trick, however, is to catch and then patch those vulnerabilities as early as possible. This is what Apple aims to achieve by opening up its bug bounty program to all researchers.