Apple’s Bug Bounty program offers sizable cash rewards for finding defects. The program has been expanded to include iCloud, watchOS, tvOS, iPadOS and macOS.
By Chand Bellur
December 21, 2019 at 5:38 p.m. PDT
Apple Pays Cash for Bugs
It’s difficult to assure quality in today’s complex software platforms. Even simple products like Twitter succumb to embarrassing defects. Given the complexity and interoperability of their products, it’s amazing that Apple still delivers a modicum of quality.
Apple used to embrace the philosophy of small, incremental change. Although some products adhere to this practice, Apple has been relentlessly cramming features into releases, in order to stay competitive. Unlike Microsoft or other competitors, they manage to do this without egregious lapses in quality. iOS 13 is bad, but you can do much worse.
It’s hard to find top talent in the Silicon Valley these days. The best and brightest prefer to work at startups, not well-established companies like Apple and Google. As in-house quality assurance testing has become strained, Apple has looked outward, implementing an innovative reward system for ambitious engineers.
Apple’s bug bounty program offers rewards of up to one million dollars for finding defects in Apple products. Participants can even win a 50% bonus if they discover a unique defect, unknown to Apple.
Apple’s Bounties Are Bountiful
Apple products aren’t cheap, and their bounty payments are similarly exorbitant. If a QAT tester found a similar defect, they’d get a pat on the back and a decent paycheck, but not a million dollars. These are not easy defects to find, however. Winning an bug bounty from Apple requires finding a severe security flaw, not some minor, cosmetic defect.
Apple offers the following bounties for discovering defects. These are just a few examples:
- limited unauthorized control of an iCloud account – $25,000
- broad unauthorized control of an iCloud account – $100,000
- access to a small amount of sensitive data from the lock screen – $25,000
- partial access to sensitive data from the lock screen – $50,000
- broad access to sensitive data from the lock screen – $100,000
- partial extraction of sensitive data from the locked device after first unlock – $100,000
- app access to a small amount of sensitive data normally protected by a TCC prompt – $25,000
- Partial app access to sensitive data normally protected by a TCC prompt – $50,000
- Broad app access to sensitive data normally protected by a TCC prompt or the platform sandbox – $100,000
Apple offers other bounties for finding severe security defects. Refer to the Apple Security Bounty website for more information.