Back in August 2019, Apple expanded its Bug Bounty Hunter Program to macOS, and increased the bounty payout to $1 million. Now, they’ve gone a step further with their program. How? By expanding the bounty payout to $1.5 million total and allowing qualifying researchers and ethical hackers to participate.
What Vulnerabilities Is Apple Looking For?
Apple is looking for serious iOS security flaws and vulnerabilities. Not only do they want to improve their own operating system and device security, as detailed in their Introduction to Apple platform security, they also want the iPhone to be more secure than Android phones.
With this being said, Apple is looking for the following specific vulnerabilities (as listed on their site):
- iCloud (Max Payout of $100,000): Unauthorized Access To iCloud Account Data On Apple Servers.
- Device Attack Via Physical Access:
- Lock Screen Bypass (Max Payout of $100,000)
- User Data Extraction (Max Payout of $250,000)
- Device Attack Via User-Installed App
- Unauthorized Access To Sensitive Data (Max Payout of $100,000)
- Kernel Code Execution (Max Payout of $150,000)
- CPU Side Channel Attack (Max Payout of $250,000)
- Network Attack Without User Interaction:
- Zero-Click Radio To Kernel With Physical Proximity (Max Payout of $250,000)
- Zero-Click Unauthorized Access To Sensitive Data (Max Payout of $500,000)
- Zero-Click Kernel Code Execution with Persistence and Kernel PAC Bypass (Max Payout of $1,000,000)
About The Apple Security Bug Bounty Program
The program has been around since 2016. In the beginning, only those who were invited by Apple were allowed to participate. Now, the Apple Security Bounty Program is open to all researchers and ethical hackers who meet certain requirements. If participants find critical vulnerabilities and file valid reports, they will be awarded a significant payout. Plus, Apple will match the bounty payout amount and donate it to qualifying charities.
If you are interested in becoming part of this program, make sure to thoroughly review the eligibility rules before applying.
Think You Can Hack An iPhone? Here’s How To Claim Your Reward
If you believe you have found any of the iOS vulnerabilities listed above, you first need to make sure you’re eligible and meet their report guidelines.
Here are the report guidelines participants must meet (as listed on their site):
- A detailed description of the issues being reported.
- Any prerequisites and steps to get the system to an impacted state.
- A reasonably reliable exploit for the issue being reported.
- Enough information for Apple to be able to reasonably reproduce the issue.
When your report is complete, it can be sent to [email protected]. Make sure your communications are encrypted with the Apple Product Security PGP Key.
Do you have what it takes to uncover any iOS vulnerabilities and possibly get $1.5 million? If you do, best of luck!