As promised for the first time last August, Apple’s “bug” rewards program is now open to all.
It was previously an invitation-only initiative, attracting criticism as it encouraged non-guests to sell details to companies and governments that would exploit them to gain unauthorized access to Apple devices.
Recently, Apple had increased maximum payments after complaints about low rewards, so even guests are more likely to be tempted to sell security vulnerabilities on the black market for much higher sums.
An Apple Security Bounty microsite has all the details, including eligibility.
To be eligible for an Apple Security Bounty, the issue must occur on the latest available versions of iOS, iPadOS, macOS, tvOS, or watchOS with a standard configuration and, where applicable, the latest publicly available hardware.
These eligibility rules are intended to protect customers until an update is available, to ensure that Apple can quickly verify reports and create the necessary updates, and adequately reward those who conduct an original investigation.
Researchers or selected to find errors and failures should:
– Be the first to report the problem to Apple Product Security
– Provide a clear report, including a working exploit.
– Do not disclose the issue publicly before Apple notifies the security notice with your report.
The benefit chart
Issues that Apple is unaware of that are unique to designated developer beta versions and public beta versions, including regressions, can result in a 50% bonus payment.
Apple has released a bill of maximum payment fees, ranging from $100,000 to $1 million, although the 50% beta bonus means the maximum payout is $1.5 million. Apple will also pay the same amount back to a charity.