Content

Apple Bug Bounty Program Opens to Public, $1M Reward

Any and all bug bounty hunters and security researchers can claim rewards of $1 million or more from Apple for finding substantial flaws in the vendor’s operating systems. The software testing program had previously been restricted by invitation only.

Apple’s iCloud, iPadOS, macOS, tvOS, and watchOS are on the bug bounty list. The top payouts in each category reflect significant effort and are applicable to issues that impact all or most Apple platforms, or that circumvent the full set of latest technology mitigations available.

Payouts vary based on available hardware and software mitigations that must be bypassed for successful exploitation. There is a $5,000 minimum payout for all categories. Any bug discovered in a beta version will earn the researcher a 50 percent additional bonus if the issues were previously unknown to Apple.

Sample payouts: A researcher who gains unauthorized iCloud account access can earn $25,000 to $100,000 based on the level of control; bypassing a device’s lock screen can earn a bug finder between $25,000 and $100,000; finding a CPU side-channel attack that allows any sensitive data to be leaked from other processes or higher privilege levels can earn a researcher $250,000, among five bounties of $250,000. Zero click attacks, or those that commandeer a system or device without user input, pay out the most money.

Here’s a rundown of payouts:

  • Bounty payments are determined by the level of access or execution obtained by the reported issue, modified by the quality of the report.
  • All security issues with significant impact to users will be considered for Apple Security Bounty payment, even if they do not fit the published bounty categories.

Unauthorized iCloud Account Access:

  • $25,000. Limited unauthorized control of an iCloud account.
  • $100,000. Broad unauthorized control of an iCloud account.

Physical Access to Device: Lock Screen Bypass

  • $25,000. Access to a small amount of sensitive data from the lock screen (but not including a list of installed apps or the layout of the home screen).
  • $50,000. Partial access to sensitive data from the lock screen.
  • $100,000. Broad access to sensitive data from the lock screen.

Physical Access to Device: User Data Extraction

  • $100,000. Partial extraction of sensitive data from the locked device after first unlock.
  • $250,000. Broad extraction of sensitive data from the locked device after first unlock.

User-Installed App: Unauthorized Access to Sensitive Data

  • $25,000. App access to a small amount of sensitive data normally protected by a TCC prompt.
  • $50,000. Partial app access to sensitive data normally protected by a TCC prompt.
  • $100,000. Broad app access to sensitive data normally protected by a TCC prompt or the platform sandbox.

User-Installed App: Kernel Code Execution

  • $100,000. Kernel code execution reachable from an app.
  • $150,000. Kernel code execution reachable from an app, including PPL bypass or kernel PAC bypass.

User-Installed App: CPU Side-Channel Attack

  • $250,000. CPU side-channel attack allowing any sensitive data to be leaked from other processes or higher privilege levels.

Network Attack with User Interaction: One-Click Unauthorized Access to Sensitive Data

  • $75,000. One-click remote partial access to sensitive data.
  • $150,000. One-click remote broad access to sensitive data.

Network Attack with User Interaction: One-Click Kernel Code Execution

  • $150,000. One-click remote kernel code execution.
  • $250,000. One-click remote kernel code execution, including PPL bypass or kernel PAC bypass.

Network Attack without User Interaction: Zero-Click Radio to Kernel with Physical Proximity

  • $50,000. Zero-click code execution on a radio (e.g. baseband, Bluetooth or Wi-Fi) with only physical proximity, with no escalation to kernel.
  • $200,000. Zero-click partial access to sensitive data, with only physical proximity.
  • $250,000. Zero-click kernel code execution, with only physical proximity.

Network Attack without User Interaction: Zero-Click Unauthorized Access to Sensitive Data

  • $100,000. Zero-click attack that can turn on and collect information from a sensor (e.g., camera, microphone, or GPS).
  • $250,000. Zero-click partial access to sensitive data, without physical proximity.
  • $500,000. Zero-click broad access to sensitive data.

Network Attack without User Interaction: Zero-Click Kernel Code Execution with Persistence and Kernel PAC Bypass

  • $1,000,000. Zero-click remote chain with full kernel execution and persistence, including kernel PAC bypass, on latest shipping hardware.
D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.

Related