Earlier in August this year, the Tech Giant – Apple had embarked with its bug bounty program where people in security can find out defects and issues in their systems and products, which was an Invite the Only initiative. Now, we see the company has made it for the public to find out the same for them. As per the notice found on their developer website, Cupertino-based tech giant made it very clear statement that the company has always remained committed for the security thing and it rewards the researchers for sharing any flaws or critical issues they find in terms of security. It also welcomes the methods to exploit their system and so on.
It further said that on making them aware of such flaws, the company would make sure that it would make it full proof by fixing them and thus prove their commitment to quality and security in their products. The company, therefore, offers recognition for the people who would submit before them a valid report that matches up the donation money of the bounty payment and thus qualify the charities. However, the company has chalked out certain rules and regulations to be eligible for the Apple Security Bounty. It claims that the issues to be indicated should only occur on the latest publicly available versions of their OS called iOS, iPadOS, macOS, tvOS, or watchOS having the standard configuration and, should remain very much relevant over the updated and latest publicly available hardware.
As per the company, the researchers should be first to report this issue to the company Apple in a clear report that should carry the “working exploit.” Moreover, they should make sure to avoid disclosing the problem publicly before the company is seen releasing the security advisory for the report. It also said if the researchers can point out the issues and flaws, which are unknown to the company or Apple and remain unique to their designated team of developer betas and public betas like the regressions, it can still earn you the 50% of bonus payment. At the same time, the company Apple has clearly stated that the bounty payments would be defined by the level of access /execution that are achieved by the reported issue as modified by the quality report.
Thus the complete report according to the company should have a detailed description of the problems that are being reported like the prerequisites and steps to find out the system to an impacted state apart from being reasonably reliable enough to exploit for the issue that are being reported along with sufficient amount of information for the company to be able to reasonably reproduce the flaw. For these things, the tech giant has established a maximum amount for every category. For instance, if you find anyone reporting the problem for any unauthorized access to iCloud account data on the servers of Apple then they tend to remain eligible to bag around $100,000. And the same amounts would be given by Apple for reporting flaws and reports that come close to $1.5 million.