Apple extends exisiting private bug bounty program at the end of the year

Apple Updates Bug Bounty Program Q4

In recent years, Apple and the company around cupertino have received massive criticism about the current Bug Bounty program. Among other things, well-known security researchers from the scene have criticized Apple for a faulty program, which attracts others but never pays off. The reason for this was that Apple's bug bounty program was only open for private invitations. But now that Apple is confronted more and more with full disclosure and data protection failures as well as vulnerabilities that cannot be denied anymore, the internal program has to be revised in its methodology. Reasons for this are higher prices on black markets, penalties for data protection incidents and the publicly criticizing security researchers.

The company now seems to want to counter this trend. Apple will pay 50% more for problematic bugs found in beta's of new operating systems, according to the responsible employee "Ivan Krstic" who announced those updates at the BH in Las Vegas.

Apple's plan for the new year is to lead more security researchers through the program while providing higher payouts. In addition, MacOS will be included at the operating system level in the program's objectives.

In addition, Apple's bug bounty program will now also cover individual products such as Apple TV and Apple Watch. Apple also wants to pay for iCloud security vulnerabilities. For example, a security researcher who manages to gain unauthorized access to iCloud account data on Apple's servers can receive up to $100,000 (USD). Physical access to user data is paid for at a maximum of $200,000 (USD). The most expensive are so-called zero-click kernel code executions, which remain persistent on the device. For this type of reported vulnerability, the company will pay a maximum of 1 million (USD). In an automated kernel code execution, for example, an end user does not need to interact to become infected or execute compromising code.

Since many companies have not focused on improving their Bug Bounty / Responsible Disclosure programs in recent years, they often try to keep the security community on course in sympathy with the company with increased prize money. It is hard to predict whether Apple will succeed as a company after the breakdowns in the Bear/Mejri/Esser program in recent years. Security researchers outside the USA are seriously advised not to blindly accept the new regulations without ultimately ensuring that your submission is paid out trustingly at the end.

Often, when there are no more sympathies or the trust of the research community in the company comes to a standstill, companies themselves intervene by increasing the bug bounty sums as an improvement to be able to manage their bug bounty / responsible disclosure programs sufficiently.

Rate this article: 
Average: 4.6 (9 votes)


gbe, many bb sites get higher

you believe in apple does what they do promise?

Add new comment

Plain text

  • No HTML tags allowed.