Apple’s bug bounty program costs $500 USD for reporting a security issue in iOS. $200 USD of this amounts to four tickets, and $750 USD of this amounts to 10 tickets. That’s an extra $2,750 for just filing two tickets for vulnerabilities, or $10,750 to file 10 tickets on an ongoing issue. It’s more than enough money in this tight economic climate to hire the equivalent of someone four times as smart as you… but it’s still not a lot. I did this myself when I started investigating a new project. A security researcher I knew personally (and whom I’d worked with for years) went off to do her PhD project – and as a result, it was possible to track her progress over a period of three years and make a full assessment of her work. That’s a lot of work on someone with no background in the security field, and the fact that she’d already completed her PhD before she ran free could be a bit of a problem. This worked well for me.
Another important note is that Apple’s bug bounty program does NOT guarantee your submission will get noticed or compensated. There are other opportunities to obtain access to a bug bounty program that are more directly compensated and less stressful. However, the bug bounty program will be very selective, and will only grant access to high impact vulnerabilities. The program has the capacity to reward you up to three times the reward offered for a high impact bug.
There are also a number of good ways to get in touch with Apple. The first is to contact an Apple security expert on the company’s support topic list. If you have a product or software issue that you suspect Apple may be facing, there’s a really good chance that the team at Apple is aware of it. Another way to do this is to use the company’s online forums and forums within other applications. But by far my favorite thing to do is just to do a Google search for “Security Research” and then copy-and-paste the result (that will be a link to the bug disclosure thread). So, if you come across a web page that you think might be of interest, search “Security research” or “Apple bug bounty program.” While going through these forums and sites, I found that there are a number of security firms that are especially interested in reviewing the security of an app they are supporting with a bounty. I can’t stress the importance of these firms enough. One firm I know of would pay upwards of $400 USD to anyone who found a flaw in the iOS security in OS X Mountain Lion. You can find more information about that firm’s stance on the matter on their website. Bounty Programs in the Cloud One of the easiest ways to get in touch with the security team of an app is to submit a bug report to a web service that hosts app code. This is usually “in the cloud,” where the security developer doesn’t have to maintain a physical server. So, they can quickly share the vulnerability to an internet service provider, and then someone on the development team is put to work to fix it, and if they don’t, it can be quickly pulled down. I won’t discuss how to submit a bug report, but if you’re doing that, I recommend using the tools that are included on Apple’s public API. The API provides a list of app resources and a list of apps that are open source, and is useful for people who want to report bugs against known flaws (that may or may not make it into the public code). In addition to this, Apple runs an official Bug Bounty Program for third parties on the App Store. A simple Google search for “Security Research” will bring up numerous listing from security companies (some of them of a higher caliber than others). On the Web, any service with a listing of apps on its website will have the capability to submit a bug report to the Apple developers in their software. They will then have to verify that the submission is a valid bug report, and if that’s the case, they can then act upon the vulnerability and pay out a reward.
The cost of this is pretty high for most people, but companies such as VirusTotal.com , Security Central , and HackerOne all provide a high return on investment for those who are willing to spend some money. It’s not a bad investment for an average user, and it would get you the highest payout in those categories. Not everyone is able to put themselves on that kind of a budget, so you may have to make do with the apps listed on the links presented. If you have a question that you’d like to get answered by an Apple representative, you can email them directly with as much information as you have on the subject of your question. If they’re not the