Apple's expanded bug bounty program covers all operating systems, payouts up to $1M, special iPhones, more

Apple's new Security Bounty Program raises payouts. | Source: Trademarq via Twitter

Rumored in a report on Monday and announced during the Black Hat conference by Apple's head of security engineering and architecture Ivan Krstic, the bug bounty system has been expanded to cover Apple's other operating systems. For the first time, Apple is defining levels of payments that will be provided to security researchers who disclose vulnerabilities they find in macOS, with similar schemes also created for other platforms, including watchOS and tvOS.

The bounties also cover iPadOS, the offshoot from iOS, as well as issues with iCloud.

During the conference, Apple provided a list of maximum possible payouts for finding issues, scaling with the difficulty of the attack. On the lower end of the maximum payment scale for iOS are items like unauthorized access to iCloud account data on Apple servers, a lock screen bypass using physical access and unauthorized access to high-value user data using a user-installed app, with each earning the finder $100,000 at most.

On the other end of the range are more difficult tasks, including a CPU side-channel attack on high-value user data via a user-installed app, one-click kernel code execution via a network attack requiring user interaction, and a zero-click radio to kernel attack with physical proximity without user interaction, with each earning up to $250,000.

A vulnerability providing zero-click access to high-value user data over a network without user interaction offers a maximum payout of $500,000. At the top of the list is a full-chain kernel code execution attack that can persist, performed without a user's interaction at all, which can pay out up to $1 million.

Furthermore, if a researcher finds a vulnerability in a pre-release beta build that is reported to Apple ahead of its public release, they stand to earn a bonus of up to 50% on top.

At a maximum possible earnings of $1.5 million with the pre-release bonus, the bug bounty is a considerable step up in payments for Apple. Previously the maximum possible payment was $200,000.

Security researchers will be able to apply for the bug bounties later this year. The program will also open up to all researchers this fall, rather than a limited number of security experts approved by the iPhone maker.

Apple also used its Black Hat presentation to confirm it will offer "dev devices" to a selection of trusted researchers as part of the iOS Security Research Device Program. The iPhones will be set up with permissions to provide more access to the inner workings of iOS, a move which could help increase the number of issues caught before they appear in beta or public-release software.

The expansion of the bug bounty system is likely to be welcomed by security researchers such as Linus Henze, who earlier this year provided Apple with full details of a Keychain security exploit he discovered. His initial demand in February required Apple to provide an official statement for why a macOS bug bounty program didn't exist, but he later decided to hand it over to keep macOS secure.

Apple first introduced a bug bounty scheme in 2016, offering to pay researchers for finding exploits and flaws in iOS that could defeat the security of iPhones and iPads. Throughout its lifetime, there have been complaints about Apple failing to make a similar program that works across its other operating systems.