As was expected, Apple is introducing an expanded bug bounty program that will cover iOS, macOS, tvOS, watchOS, and iCloud. The expanded program was announced Thursday afternoon by Apple’s head of security engineering Ivan Krstić, at the Black Hat conference in Las Vegas.
Apple’s bug bounty program, which debuted back in August 2016, had been limited to iOS devices. The program paid a cash bounty to security researchers who found security vulnerabilities and disclosed them to Apple. Apple’s limiting of bounties to iOS bugs had been criticized by the security community.
It is possible that Apple’s new interest in such a program may have been spurred at least in part by an incident in February, when German teen Linus Henze discovered a macOS Keychain exploit but refused to hand over details of the flaw in protest of Apple’s not offering a macOS bug bounty. Henze eventually handed over the details of the flaw, saying the vulnerability was too important to not disclose.
In addition to expanding the bug bounty program to all of its operating systems and iCloud, Apple will be increasing the maximum size of the payouts, from $200,000 per exploit to $1 million depending on the nature of the security flaw. For example, a zero-click kernel code execution with persistence would earn the top payout.
A 50% bonus payout would be available in addition to the base amount to researchers that discover vulnerabilities in pre-release software.
As also reported earlier this week, Apple will also provide special iPhone hardware to trusted security researchers. The “dev devices” will allow the user to do a lot more than they could on a traditionally locked-down iPhone. The device will provide deeper access to the underlying software and operating system that will make it easier for vulnerabilities to be discovered.
Apple will provide the iPhones beginning next year as part of their new iOS Security Research Device Program, launching next year.