To date, the company has only run bug bounty programs for selected researchers and only accepted security bugs for iOS.
In addition, the company has increased the maximum reward, from $ 200.000 to $ 1.500.000, depending on the complexity and severity of the vulnerability chain.
Along with the official announcement of its new program, Apple has also posted a new page on its website detailing the bug bounty rules for the main bugs, as well as a breakdown of the rewards given to researchers based on their findings.
These are pretty strict rules, which set the bar high for those who want to win top rewards. To be a researcher eligible for top prizes and bonuses, he must submit clear reports. These include:
- Detailed description of the problems discovered.
- Any conditions and steps can affect the system.
- A reliable finding for the discovery he cites.
- Enough information so Apple can reproduce the problem.
The errors Innovative security that impacts multiple platforms, working with the latest hardware and software and affecting sensitive system components will give a researcher a greater chance of earning the top $ 1,5 million reward.
Still, vulnerabilities to be identified in versions beta will be rewarded just as well. Apple says it will add a 50% bonus over the reported payout, for any bugs found in a beta.
Ο λόγος για τον οποίο τα σφάλματα στις εκδόσεις beta δίνουν υψηλές αμοιβές είναι επειδή αυτές οι αναφορές σφαλμάτων επιτρέπουν στην Apple να διορθώσει σημαντικά ελαττώματα ασφαλείας πριν φθάσουν σε εκδόσεις παραγωγής του λογισμικού της, όπου θα επηρεάσουν δισεκατομμύρια συσκευές.
Apple's bug bounty program will also give a 50% bonus for regression errors. These are bugs that Apple had previously fixed in earlier versions of its software, but have been reintroduced into the code at a later stage.
The vulnerabilities that allow attacks without a click or a single click are the ones that will bring the most money to researchers. However, Apple requires the full chain of operation for these types of errors.
If, for example, one of these attacks uses three different errors linked together, the researcher will have to submit the full exploitation chain that incorporates all three errors, and not just one, if he or she wants to gain the maximum reward.
For more details on Apple's new bug bounty program, visit the official website the company's.