Roughly three years ago, Apple began paying security researchers for discoveries of unknown vulnerabilities in iOS, and today, it’s responding to long-standing requests by adding macOS, watchOS, and tvOS devices to the list. Additionally, the company is now offering a maximum reward of $1 million for the most serious security issues, providing researchers with even more incentive to report rather than horde their findings.
The news went public today at the annual Black Hat security conference in Las Vegas (via TechCrunch), where lead Apple security developer Ivan Krstić disclosed key updates to the bug bounty program. Apple will now pay $1 million for a deadly serious exploit — a zero-click attack that enables complete, persistent control of an iPhone’s kernel with nothing more than knowledge of the device’s phone number — up from a peak of $200,000 before. Less serious exploits will qualify for smaller amounts.
For the company, the risk of low payments has been that security researchers will instead hand their findings off to private organizations, such as Grayshift and Cellebrite, that will subsequently exploit Apple’s devices for profit. To further incentivize proactive reporting, Apple is also offering a 50% bonus to researchers who report pre-release vulnerabilities before general release, and next year will provide select “vetted and trusted” researchers with pre-jailbroken iPhones that may have vulnerabilities at the secure shell level.
Apple TV, Apple Watch, and Mac users will also benefit from the bug reporting program, which was previously focused largely on Apple’s iPhones and iPads. In February, German security researcher Linus Henze criticized the company for not offering Mac bug bounties, and publicly disclosed a large Mac password protection exploit that otherwise would have remained private. Google’s Project Zero team has also weighed in on the topic, noting that Apple has left major Mac vulnerabilities unfixed for months at a time, compromising user security in the process.
This year alone, the company has twice limited FaceTime access over iPhone and Apple Watch vulnerabilities that could seriously compromise users’ privacy, enabling callers to listen to their unanswered devices. Researchers have also uncovered security issues in Macs’ Intel chips and macOS’ app whitelisting system, which could lead to broad exploits of Apple’s computers.