Apple has reopened its rewards program for reporting vulnerabilities, having finally decided to change the model to only allow select researchers that the company had approved, and has also expanded the systems covered by the program.
That is, now any security researcher can report bugs not only from iOS, but also from the rest of the Apple family of devices: macOS, iPadOS, tvOS, watchOS, and also iCloud.
Apple opened its rewards program in August 2016, but it was not until the end of this 2019 that the company has really expanded it.
Rewards of up to one million dollars
The rules of the program specify that only those bugs that are in the latest public versions of iOS, iPadOS, macOS, tvOS, or watchOS with a standard configuration will be eligible under the reward program.
In addition, it is mandatory not to publicly disclose the problem before Apple has released the corresponding update to resolve the problem. Now, if a vulnerability is ignored by Apple and they are unique to developers or public beta versions, this can result in a payment bonus of up to 50%.
The minimum rewards are $ 25,000, but they can reach up to 500,000 or one million dollars depending on the severity of the failures, Apple even includes some tips on how to maximize your payment according to what interests them most. You can read the detailed list of examples of rewards on the Apple website.
All reports should be detailed containing a functional exploit with enough information for Apple to reproduce the problem. These should be sent to firstname.lastname@example.org in encrypted form.