Apple Increases Maximum iOS Bug Bounty Reward to Million Dollars
Apple increases the maximum amount in the bug bounty program for iOS to one million dollars. The company will pay that amount to researchers who find a serious bug in the mobile operating system.
The maximum bonus that Apple spends with this will be five times as high as before. Previously, the company offered up to $200,000 to security researchers, but now it’s going to be a million. Apple was one of the last major tech companies to offer such a bug bounty program. The program allows security experts to report vulnerabilities in iOS to the company and qualify for a reward. Those rewards increase the more serious the leak is. Apple’s program started at $25,000 for a sandbox escape, but went up to 200,000 for those who found a leak in the secure boot firmware.
The new maximum amount of one million will be paid out to those who can crack the iOS kernel without user intervention. Apple also offers half a million dollars for those who can execute a vulnerability over a network without intervention. There is a fifty percent bonus in the program for vulnerabilities found in software that has not yet been officially released. Earlier this week, it appeared that Apple will be handing out special iPhones to security researchers for that purpose. The company has now officially confirmed this to Forbes. The bug bounty program was announced at the BlackHat conference taking place this week in Las Vegas.
Apple is likely responding to movements in the zero days market with the new prices. Leaks for iOS yield much more at commercial companies like Zerodium. Even now, Apple offers less money than that company; Zerodium pays double for serious vulnerabilities in iOS. Another company called Crowdfense is even paying $3 million. Two years ago it turned out that the success of the bug bounty program was low due to the relatively low rewards.
Apple is also extending the bug bounty program to macOS, and even to watchOS and the Apple TV operating system. The company also opens the bug bounty program to any security researcher. Previously, only researchers who signed up could report bugs to Apple to qualify for a bonus. That was an unusual approach. Most tech companies have their bug bounty program open to everyone. In many cases, certain rules must be complied with.