Apple's bug bounty program is now open to all security researchers, and it now also covers macOS, tvOS, watchOS and iCloud. The tech giant's bug bounty used to be invite-only and exclusively offered payouts for iOS bugs. A few months ago, however, the company revealed that it's expanding the program's scope and paying up to $1 million in rewards. Now, the expanded program is live, as Ivan Krstić, Apple's Head of Security and Architecture, has announced on Twitter.
🔺The new Apple Security Bounty! https://t.co/T4A2vTGSnM
🔺The new Apple Platform Security guide, featuring Mac for the first time!https://t.co/76qglenmif
(PDF version: https://t.co/8F4kb8izgD)
🔺My Black Hat 2019 talk: https://t.co/bqs6A3VAQ8
Happy holidays! 🎄
— Ivan Krstić (@radian) December 20, 2019
The company has also published an information page detailing the program's scope, rules and rewards -- as you can see, vulnerabilities that could lead to network attacks without user interaction have the highest possible payouts, ranging from $250,000 to $1 million. In order to be eligible for a reward, the issue must be found in the latest publicly available versions of the company's software and, if relevant, the latest hardware.
Researchers who find issues in developer and public betas could also get a 50 percent bonus, probably because discovering them will allow the company to conjure up a fix before they land on most users' devices. As ZDNet notes, though, Apple has pretty stringent requirements to be able to claim rewards, including the submission of functional exploits for the issues being reported.