Apple Bug Bounty Program Nets Hacker Team Nearly $300,000 in Just a Few Months
Credit: Scream band / ShutterstockToggle Dark Mode
A group of hackers hit a gold mine when searching for vulnerabilities in Apple’s operating systems. According to a recent blog post, the team earned nearly $300,000 in bounties for the flaws they found in Apple’s ecosystem. The five-member team started working on July 6th of this year and ended their work on October 6th.
For the past three months, Sam Curry, Brett Buerhaus, Ben Sadeghipour, Samuel Erb, and Tanner Barnes have been working together to find flaws in Apple’s operating systems. The team identified 55 vulnerabilities ranging in severity from critical to low.Â
The team thus far has received 32 payments totaling $288,500. This tally includes $34,000 for discovering a memory leak that contained customer data and $5,000 for a flaw that could have let hackers steal iCloud users’ names.
The team hinted that they may have more bounties coming, suggesting they will likely net well over $300,000 for their effort.
What Is Apple’s Bug Bounty Program?
Last year, Apple kicked off a security bounty program that pays hackers and developers who discover flaws in the company’s operating systems. The list of eligible operating systems includes all of Apple’s latest publicly available versions of iOS, iPadOS, macOS, tvOS, or watchOS.
Developers who find critical issues must report both the flaw and the techniques used to exploit it to Apple. Apple must be able to reproduce the problem to confirm it exists. Bug finders also need to wait until Apple releases a security advisory before disclosing the flaw publicly.Â
Apple will pay for each flaw with more money for those vulnerabilities that Apple does not know about and can be found in select developers and public betas.
Apple also pays extra for “regression” bugs, which were patched in previous versions of the operating system, but re-emerge unexpectedly following an update. Payments range from $2,500 for less critical issues and climb to a jaw-dropping $1,000,000 for significant vulnerabilities that let hackers execute kernel-level code with no-click access.
