Apple launched the program to give rewards when discover error on your platform
Apple has reopened its bug-hunting program to pay for security researchers. Apple offers a reward of $ 1 million or more for discoveries about the major vulnerabilities that exist in their operating systems.
This program was previously open by invitation only in 2016 and now it has been expanded, not limited to iOS. At the Black Hat conference in August, Apple announced that it would open the program publicly, and that iCloud, iPadOS, macOS, tvOS and watchOS would also be on the receiving error list.
To receive this bonus, researchers must submit a detailed description of the bugs they have discovered and provide enough details to allow Apple to reproduce them.
The highest bounty will be awarded to researchers who discover bugs that affect multiple Apple platforms, especially in the case that they cause the latest Apple devices and software to fail. Any bugs detected in the beta will be given an additional 50% over the standard bonus. The reward levels are classified equally:
- Pass the device's lock screen: from USD 25,000 to USD 100,000.
- Unauthorized access to iCloud: from USD 25,000 to USD 100,000
- Extract sensitive data from a locked device: from USD 100,000 to USD 250,000
However, to achieve the highest level of reward, researchers need to find the bugs that can create attacks that take over the whole device without any action from the user, or zero click attack. This case has very strict requirements. Apple requires researchers to fully submit the sequence of vulnerabilities discovered with the report.
This could be a move for Apple to address the multitude of bugs found on iOS 13, including security flaws. In an article published by Bloomberg in November, in preparation for the launch of iOS 14 in 2020, Apple changed the way of software testing in order to achieve a level similar to that of Google, Microsoft or other companies. Other companies isolate and test changes in their software.
Apple promises to combine donations for eligible charities and publicly record researchers sending valid reports to them.