November 18, 2024

Apple Now Offers Up to $1.5 Million for Finding Critical Security Issues

Posted December 20, 2019 at 3:00am by iClarified · 8053 views
Apple has announced that researchers can now earn a security bounty of up to $1.5 million for finding critical security issues with its hardware and software.

As part of Apple’s commitment to security, we reward researchers who share critical issues with us through the Apple Security Bounty. You can now earn up to $1,500,000 and report issues on iOS, iPadOS, macOS, tvOS, watchOS, and iCloud. In addition, Apple offers public recognition for those who submit valid reports and will match donations of the bounty payment to qualifying charities.

Eligibility
In order to be eligible for an Apple Security Bounty, the issue must occur on the latest publicly available versions of iOS, iPadOS, macOS, tvOS, or watchOS with a standard configuration and, where relevant, on the latest publicly available hardware. These eligibility rules are meant to protect customers until an update is available, ensure Apple can quickly verify reports and create necessary updates, and properly reward those doing original research. Researchers must:
● Be the first party to report the issue to Apple Product Security.
● Provide a clear report, which includes a working exploit (detailed below).
● Not disclose the issue publicly before Apple releases the security advisory for the report. (Generally, the advisory is released along with the associated update to resolve the issue). See terms and conditions.

Issues that are unknown to Apple and are unique to designated developer betas and public betas, including regressions, can result in a 50% bonus payment. Qualifying issues include:
● Security issues introduced in certain designated developer beta or public beta releases, as noted on this page when available. Not all developer or public betas are eligible for this additional bonus.
● Regressions of previously resolved issues, including those with published advisories, that have been reintroduced in a developer beta or public beta release, as noted on this page when available.

More details about payouts and reporting guidelines can be found at the link below.

Read More