Three years ago at the Black Hat conference, Apple announced its first bug bounty program, which was invite-only and limited to iOS.
At this year’s edition of the con, Ivan Krstić, Apple’s head of security engineering and architecture, announced changes to it.
Wider scope, higher bug bounties
Starting this fall, the program will be open to all researchers.
Apple Bug Bounty. pic.twitter.com/jyD9UwU9pI
— mikeb (@mikebdotorg) August 8, 2019
The bug bounty program has been widened to include the following “targets”: macOS, iCloud, tvOS, watchOS and iPadOS (an upcoming mobile OS for iPads).
Maximum payouts for specific bugs are as follows:
Unauthorized access to iCloud account data on Apple servers – $100,000
Attack via physical access
Lock screen bypass – $100,000
User data extraction – $250,000
Attack via user-installed app
Unauthorized access to high-value user data – $100,000
Kernel code execution – $150,000
CPU side channel attack on high-value user data – $250,000
Network attack requiring user interaction
One-click unauthorized access to high-value user data – $150,000
One-click kernel code execution – $250,000
Network attack with no user interaction
Zero-click radio to kernel with physical proximity – $250,000
Zero-click access to high-value user data – $500,000
Zero-click kernel code execution with persistence – $1,000,000
If any of these bugs is found in pre-release builds, researchers can also earn a hefty bonus (up to 50% of the reward amount).
The iOS Security Research ..
Support the originator by clicking the read the rest link below.
