Apple Opens Public Bug Bounty Program, Publishes Official Rules

Apple has formally opened its bug bounty program today to all security researchers, after announcing the move earlier this year in August at the Black Hat security conference in Las Vegas. From a report: Until today, Apple ran an invitation-based bug bounty program for selected security researchers only and was accepting only iOS security bugs. Starting today, the company will accept vulnerability reports for a much wider spectrum of products that also includes as iPadOS, macOS, tvOS, watchOS, and iCloud. In addition, the company has also increased its maximum bug bounty reward from $200,000 to $1,500,000, depending on the exploit chain's complexity and severity.

Yeah, good luck with that ... closed source.

[BAReFO0t]

Would be easier to spot bugs, if it was, you know, ... open!

Since your software can legally run on your devices only, what's the point of closing rhw source anyway?

Re:

[ArchieBunker]

https://github.com/apple/darwi... [github.com]

Here's my bug report

[damn_registrars]

The magic mouse sucks tremendously. I thought the "hockey puck" iMac mouse was terrible but this one takes the cake, eats it, pukes all over my keyboard, and then sends me a bill for their excursions. I've never before seen a mouse that was so intolerant of how normal intelligent people use mice. I gave a tutorial a while ago where I had to use a Mac and the mouse would not only jump all over the screen but it would often misinterpret my mousing actions to mean that I wanted to change tabs, applications,

I have a great plan, without the ... step!

[140Mandak262Jamuna]

1. Become friends with some Apple developer.

2. Make him/her write bugs and let you know

3. Find the bugs after the release. Claim the reward

4. No ... needed.

5. Profit!!

Re:

[WankerWeasel]

Yeah, because OS coding has no code review by anyone but the single guy programming it.

Re:

[140Mandak262Jamuna]

So you are seeing we need to split the bounty with the code reviewer too? OK done.

How to stop them from cutting me out of the deal?

No worries needed. If they are that smart why are they working for a living instead of posting get rich quick schemes on slashdot ?

I wouldn't bother

[denis-The-menace]

If you say the "wrong thing" (tm) they have a history to lock you out of their forums.

Max bounties seem off ...

[origin2k]

From: https://developer.apple.com/se... [apple.com]

iCloud - Unauthorized access to iCloud account data on Apple Servers - $100,000 max. bounty

I think some celebrities would find that bounty maximum low, possibly obscenely low :-)

Meh

[fulldecent]

My experience with Apple is that they are slow to acknowledge and fix bugs.

Here is one where I found a customer information leak on their store home page (server misconfiguraiton) and it took them two years to acknowledge and fix.

https://privacylog.blogspot.co... [blogspot.com]

They listed me on the thank you page, no payment. So if you expect them to pay out on the $1.5M it might happen but you might have to leave it in your will for your grandchildren.