Apple is offering $1M if you can find a bug in its devices or iCloud

Apple has opened its security bounty program to the public. The program now offers rewards from $100,000 to $1,000,000 to security users who can discover bugs in iCloud or the various Apple devices.

The bugs must occur on the latest publicly available versions of iOS, iPadOS, macOS, tvOS, or watchOS. Last Thursday Apple outlined the different categories of the program in its developer page. The categories include iCloud, device attack through physical access or app and network attacks with and without user interaction.


To be eligible for the rewards security researchers must be the first person to report the bug to Apple Product Security. Secondly, they must provide a clear and detailed report, which includes an exploit that works. Lastly, they must not reveal the bug publicly before Apple released the security report.

Furthermore, bugs that are unknown to Apple or are found in beta versions of the OS can result in a 50% bonus payment.


The payments are determined by the level of access. The higher the level of access the higher the payment. Please keep in mind that all amounts are in USD. Also, sensitive data includes contents of Contacts, Mail, Messages, Notes, Photos, or real-time or historical precise location data.

TopicMaximum Reward
iCloudUnauthorized access to iCloud account data on Apple Servers$100,000
Device attack through physical accessBypass lock screen$100,000
Extract user data$250,000
Device attack through a user-installed app Unauthorized access to sensitive data$100,000
Kernel code execution$150,000
CPU side-channel attack$250,000
Network attack with user interaction One-click unauthorized access to sensitive data$150,000
One-click kernel code execution$250,000
Network attack without user interaction Zero-click radio to kernel with physical proximity$250,000
Zero-click unauthorized access to sensitive data$500,000
Zero-click kernel code execution with persistence and kernel PAC bypass$1,000,000
Apple devices

Report and Reward Guidelines

Report Requirments. Apple has several requirements for the report for it to be eligible for a payout. A complete report will include a detailed description of the bug being reported. It must also list any steps taken to get the Apple devices to an affected state. Third, the report should also include a reliable exploit for the bug being reported. Last but not least, the report should have enough information for Apple to be able to reproduce the bug.

Maximizing the Reward. To get the most out of the rewards, keep in mind the bugs that Apple is interested in. The first thing to remember is that Apple is interested in bugs that affect multiple platforms. Secondly, any bug that impacts the latest hardware and software. Thirdly, any bug that impacts sensitive components.

Other Requirements. You will also need to provide a full chain exploit for any bug that requires the execution of many exploits, one-click, and zero-click bugs. The chain and report must include both complied and source versions, all steps needed to run the chain and sample non-destructive payload.


In the past year, Google and Facebook have also offered rewards to security researchers for finding flaws in their software. Apple is changing how it tests its security so that it is similar to other tech giants like Microsoft and Yahoo.

have also offered rewards for researchers and hackers to put their security practices under the microscope over the past year. Other heavy-duty users of computers, including Microsoft, Yahoo, Chrysler and United Airlines have also had bug bounties.

See Also: Bluetooth Devices Vulnerable to Hacking

Do you think someone will be able to hack iCloud or any of the Apple devices? Or do you think that devices created by Apple are very secure? Let us know your thoughts in the comments below!

Continue to check out Maticstoday for the latest news items, product reviews, security practices, and video game discussions.

Source: Developer Page