Apple Security Bounty Guidelines

A high-quality research report is critical to help us confirm and address an issue more quickly, and could help you receive an Apple Security Bounty reward.

A complete report includes:

• A detailed description of the issue(s) and the behavior you observed, as well as the behavior that you expected
• A numbered list of steps required to reproduce the issue
• A reliable exploit for the issue you are reporting
• Details of any related issues or variants

Apple strongly recommends including a working exploit, rather than a basic proof of concept. We accept reports without this information, but reports with more details typically receive higher bounty rewards. If your report doesn’t include the necessary information to allow us to reproduce the issue, we may not be able to accept your report or evaluate it for a bounty.

Issues that require execution of multiple exploits — as well as “one-click” and “zero-click” issues — require a full chain for maximum payout. Such issues should be submitted as a single report that includes:

• Both compiled and source versions
• Everything needed to execute the chain
• A sample nondestructive payload, if needed

If you provide an exploit chain, please add it to a password-protected archive as an attachment.

Apple Security Bounty eligibility rules are designed to make sure we can verify your research and protect customers until an update is available.

For an issue to be eligible for an Apple Security Bounty, the issue you report must occur on the latest publicly available version (including beta versions) of iOS, iPadOS, macOS, tvOS, or watchOS with a standard configuration* and, where relevant, on publicly available hardware or the Security Research Device.

For Services vulnerabilities, the issue must relate to a web server or service owned by Apple or an Apple subsidiary, barring exclusions from the Terms and Conditions.

In addition, you must meet the following requirements:

• You must be the first party to report the issue directly to Apple Product Security on the web or by email.
• Your report must be clear and detailed and must include a reliable way to reproduce the issue, such as a working exploit.
• You must not disclose the issue publicly before Apple releases an update with a security advisory for the report.

Some issues may be eligible for an additional bonus. For example, security issues that are unique to newly added features or code in developer or public beta releases — including newly introduced regressions — may qualify for a 50 percent bonus, if they’re reported before the beta period ends. Reports that successfully bypass the specific protections of Lockdown Mode may qualify for a 100 percent bonus.

If you believe you have discovered a security or privacy vulnerability that affects Apple devices, software, services, or Apple-owned web servers, please report it to us.

Sign in with your Apple ID and submit your research. Anyone can submit a report, including security researchers, developers, and customers. If a report you submit is valid and eligible, you may be publicly recognized in our security advisories, and if your report meets additional criteria, you may also receive a reward through the Apple Security Bounty program.

We make it a priority to resolve security and privacy issues as quickly as possible. Please note that for the protection of our customers, Apple doesn’t disclose or confirm security issues until our investigation is complete and any necessary updates are generally available.

Alternatively, you can email your report to product-security@apple.com. If you choose to email us, use the Apple Product Security PGP key to encrypt sensitive information. To send us large files, use Mail Drop.

Please note that if you submit your report via email, you will not be able to track progress online.

Apple engineers review all reports that are submitted directly to us. If you submitted your report on the web, you can sign in with your Apple ID to view the status of your report.

Your report’s status will be updated when it’s being reviewed, when we make a determination about its impact, and — for eligible issues — when it’s being addressed. If we need additional information, we’ll add a comment to your report and notify you using the email associated with your Apple ID. If you have questions, or want to provide more information to help us reproduce or investigate an issue, you can add comments or attachments to your report at any time.

After a valid report is addressed, it will be reviewed for an Apple Security Bounty reward payment. If your report qualifies for a reward, you’ll see more information about your reward in the report page, including bounty status, amount, and any next steps.

Apple reviews each report to determine whether the issue reported is a valid security or privacy issue, and if so, whether it qualifies for a reward. All security issues with significant impact to users will be considered for the Apple Security Bounty, even if they don’t match published bounty categories.

Apple Security Bounty reward payments are based on:

1. The type of vulnerability, which can include the user interaction required, number of affected users, level of access and other factors.
2. The quality of your research report, which helps our team understand, reproduce, and address the issue more quickly.

Maximum bounty amounts require high quality reports and are meant to reflect significant scope and effort. Vulnerabilities that have a greater impact on users tend to receive larger bounty reward payments — for example, issues that affect most or all Apple platforms and affect a sensitive component, such as the XNU kernel or the Secure Enclave, or circumvent advanced security protections, such as Blastdoor or Lockdown Mode.

Other factors may include the number of users affected; the user interaction that’s required or whether the user is notified; the level of access or execution achieved; and the persistence of the issue. For example, a “zero-click” exploit — where an attacker would be able to gain access to a user’s data without any interaction from the user — would be eligible for a significantly larger bounty than an issue that requires physical access to a user’s device.

To increase your potential reward, make sure your report is detailed and thorough. Reports with only a basic proof of concept tend to receive about half the applicable amount for that bounty category, and those without a working proof of concept typically receive even less. If your report doesn’t indicate how to reproduce the issue, it may not qualify for a bounty. A report for a bounty-eligible issue with a clear attack scenario that clearly demonstrates the issue is more likely to receive a top reward than a report for the same issue without supporting details.