It's open season on Apple products. As spotted by 9to5Mac, the company has opened up its bug bounty program to the public, and it's offering payouts of up to $1.5 million for severe vulnerabilities that can be exploited without user interaction.
The company's bug bounty program was previously invitation-only and the payouts were lower than they are now. Both decisions were criticized by the security community, as discouraging the responsible disclosure of serious vulnerabilities could prompt researchers to profit off their discoveries in far less benevolent ways.
Selling exploits for Apple products could still be more lucrative than disclosing them via this program — there's always going to be a market for effective hacks targeting popular devices. But now it's easier for security researchers to don white hats instead of black ones.
Apple's bug bounty program pays between $100,000 for low-priority vulnerabilities, such as "unauthorized access to iCloud account data on Apple Servers," and $1 million for "zero-click kernel code execution with persistence and kernel PAC bypass." Researchers are given a 50% bonus for issues with beta software releases.
In addition to the funds given to developers, Apple will donate the same amount to qualifying charities, which are listed at Benevity. More information about Apple's bug bounty program can be found on its dedicated website. It explains who's eligible for the program, what each payout tier is and how developers should submit reports.
