Bug bounty programs are one of the most effective tools at a company’s disposal to find and fix bugs in operating systems and software. Under such a program, security researchers are paid a bounty for vulnerabilities they find and report to the company.
In 2016, Apple opened a security bounty program for iOS and invited specific researchers to join it. However, according to an announcement on their website, the company has expanded the program to all operating systems—iOS, iPadOS, macOS, tvOS and watchOS. The program is also available to all security researchers, rather than a select few.
Payouts for bugs range from $100,000 to $1,000,000. According to Apple, “researchers must:
- Be the first party to report the issue to Apple Product Security.
- Provide a clear report, which includes a working exploit (detailed below).
- Not disclose the issue publicly before Apple releases the security advisory for the report. (Generally, the advisory is released along with the associated update to resolve the issue).”
This is a welcome announcement by Apple and should help improve security on Apple’s products even more.