Apple has opened its security bounty program to the public. The program now offers rewards from $100,000 to $1,000,000 to security users who can discover bugs in iCloud or the various Apple devices.
The bugs must occur on the latest publicly available versions of iOS, iPadOS, macOS, tvOS, or watchOS. Last Thursday Apple outlined the different categories of the program in its developer page. The categories include iCloud, device attack through physical access or app and network attacks with and without user interaction.
To be eligible for the rewards security researchers must be the first person to report the bug to Apple Product Security. Secondly, they must provide a clear and detailed report, which includes an exploit that works. Lastly, they must not reveal the bug publicly before Apple released the security report.
Furthermore, bugs that are unknown to Apple or are found in beta versions of the OS can result in a 50% bonus payment.
The payments are determined by the level of access. The higher the level of access the higher the payment. Please keep in mind that all amounts are in USD. Also, sensitive data includes contents of Contacts, Mail, Messages, Notes, Photos, or real-time or historical precise location data.
|iCloud||Unauthorized access to iCloud account data on Apple Servers||$100,000|
|Device attack through physical access||Bypass lock screen||$100,000|
|Extract user data||$250,000|
|Device attack through a user-installed app||Unauthorized access to sensitive data||$100,000|
|Kernel code execution||$150,000|
|CPU side-channel attack||$250,000|
|Network attack with user interaction||One-click unauthorized access to sensitive data||$150,000|
|One-click kernel code execution||$250,000|
|Network attack without user interaction||Zero-click radio to kernel with physical proximity||$250,000|
|Zero-click unauthorized access to sensitive data||$500,000|
|Zero-click kernel code execution with persistence and kernel PAC bypass||$1,000,000|
Report and Reward Guidelines
Report Requirments. Apple has several requirements for the report for it to be eligible for a payout. A complete report will include a detailed description of the bug being reported. It must also list any steps taken to get the Apple devices to an affected state. Third, the report should also include a reliable exploit for the bug being reported. Last but not least, the report should have enough information for Apple to be able to reproduce the bug.
Maximizing the Reward. To get the most out of the rewards, keep in mind the bugs that Apple is interested in. The first thing to remember is that Apple is interested in bugs that affect multiple platforms. Secondly, any bug that impacts the latest hardware and software. Thirdly, any bug that impacts sensitive components.
Other Requirements. You will also need to provide a full chain exploit for any bug that requires the execution of many exploits, one-click, and zero-click bugs. The chain and report must include both complied and source versions, all steps needed to run the chain and sample non-destructive payload.
In the past year, Google and Facebook have also offered rewards to security researchers for finding flaws in their software. Apple is changing how it tests its security so that it is similar to other tech giants like Microsoft and Yahoo.
have also offered rewards for researchers and hackers to put their security practices under the microscope over the past year. Other heavy-duty users of computers, including Microsoft, Yahoo, Chrysler and United Airlines have also had bug bounties.
See Also: Bluetooth Devices Vulnerable to Hacking
Do you think someone will be able to hack iCloud or any of the Apple devices? Or do you think that devices created by Apple are very secure? Let us know your thoughts in the comments below!
Continue to check out Maticstoday for the latest news items, product reviews, security practices, and video game discussions.
Source: Developer Page
Javeria Qureshi is a Content Writer and Web Developer at Codematics Inc. In her free time, you can find her watching Patriot Act with Hasan Minhaj, reading books or drinking chai. Search for her articles under the hashtag #JQArticle on Twitter or LinkedIn.