Apple has now agreed to roll out a macOS bug bounty alongside its iOS bug bounty program. Three years ago it introduced a bug bounty program for iOS alone. iCloud, iOS, tvOS, iPadOS, watchOS, and macOS will now be covered.
This announcement was made by the head of security engineering and architecture Ivan Krstić at the Black Hat conference yesterday. The macOS bounty program will include Macs and MacBooks, as well as Apple TV and Apple Watch. And it will include rewards of the current maximum of $200,000 per exploit up to $1 million for a zero-click, full chain kernel code execution attack (i.e if an attacker can gain complete control of a phone without any user interaction and simply by knowing a target’s phone number).
Typically most tech companies pay cash if you find a security flaw with their systems.
Hitherto Apple has been adamant to only pay for security flaws discovered in its iOS. So a number of security researchers have withheld reporting other security flaws because Apple wasn’t paying. Even early this year, a security researcher detailed a macOS flaw, but refused to submit it to Apple because there was no bug bounty.
Apple also said that any researcher who finds a vulnerability in pre-release builds that’s reported before general release will qualify for up to 50% bonus on top of the category of vulnerability they discover.
The bug bounty programs will be available to all security researchers beginning later this year.
