Apple offers up to $200K in its first Bug Bounty Program


Level 12
Jun 24, 2016
Starting this fall, Apple will pay up to $200,000 for iOS and iCloud bugs

As part of a security presentation given at this year's Black Hat conference, Apple today announced that it would be starting up a bug bounty program in the fall. The program will reward security researchers who uncover vulnerabilities in Apple's products and bring them to the company's attention. Google, Microsoft, Facebook, and many other companies have offered bug bounty programs for some time now, but this is Apple's first.

For now, Apple is intentionally keeping the scope of the program small. It will initially be accepting bug reports from a small group of a few dozen security researchers it has worked with in the past. For now, bounties are only being offered for a small range of iDevice and iCloud bugs. The full list is as follows:

  • Secure boot firmware components: Up to $200,000 (~£150,000)
  • Extraction of confidential material protected by the Secure Enclave: Up to $100,000.
  • Execution of arbitrary code with kernel privileges: Up to $50,000.
  • Access from a sandboxed process to user data outside of that sandbox: Up to $25,000.
  • Unauthorized access to iCloud account data on Apple servers: Up to $50,000.
As the program continues and Apple works the, um, bugs out of its processes, the company will expand the list of eligible security researchers as well as the list of hardware and software bugs for which bounties are offered.

Researchers who want to claim the bounties will need to submit a report to Apple with a working proof-of-concept exploit that works on the latest stable version of iOS. If the bugs are hardware-related (as may be the case for Secure Enclave bugs), the proof-of-concept must also work on the latest shipping iPhone or iPad hardware. The payment amounts outlined above are upper limits—actual payments will depend on the novelty of the issue and how likely the issue is to be exploited.

Researchers are also asked not to disclose the bugs before Apple has time to fix them, though the company would only say it would fix them as soon as possible and wouldn't commit to a firm time window. Once the fix is published, researchers will be given credit if they want it (Apple already does this in its security update release notes). Successful researchers will also be given the opportunity to donate their bounty to charity alongside a matching donation from Apple, though Apple says it may choose not to match donations at its discretion.

Continue reading this article at the link at the top of the page
  • Like
Reactions: frogboy