Apple recently announced that they would be making changes to their bug bounty program. They have immensely increased the maximum reward from $200,000 to $1 million. This is by far the biggest bug bounty reward by any major tech company.
This million-dollar payout is reserved for spotting severe vulnerability like “a zero-click kernel code execution vulnerability that allows hackers full control of the device’s kernel”. Smaller exploits will receive a lower payout. From now on, this program is applicable to all other Apple operating system like macOS, tvOS, watchOS, iPadOS, and iCloud.
Apple working on its new iOS Security Research Device Program:
Apple will provide pre-jailbroken iPhones to a select few security researchers in this program. These devices will have far deeper access than a normal iPhone, which is available in the market. They will be given access to a root shell, ssh, and advanced debug capabilities, allowing security researchers to hunt for vulnerabilities at a secure shell level.
This program will come into effect from next year as reported as Forbes. Anyone can apply in the program to receive the device; the company will, however, hand out only a few of these devices.
Other changes in the bug bounty program:
Apart from the $1 million rewards, Apple is also offering a 50% bonus to anyone who finds and report security vulnerabilities in its pre-release software. This will raise the bonus to $1.5 million. You can apply to this program later this year when it will be opened for everyone.
This step will be hugely appreciated by bug bounty hunters. They either publicly disclose the vulnerabilities or sell it to a private vendor like Cellebrite, Zerodium, and Grayshift. These companies deal in zero-day exploits.