Report and Payout Guidelines

The goal of the Apple Security Bounty is to protect customers through understanding both vulnerabilities and their exploitation techniques. Reports that include a basic proof of concept instead of a working exploit are eligible to receive no more than 50% of the maximum payout amount. Reports lacking necessary information to enable Apple to efficiently reproduce the issue will result in a significantly reduced bounty payment, if accepted at all.

A complete report includes:

A detailed description of the issues being reported.

Any prerequisites and steps to get the system to an impacted state.

A reasonably reliable exploit for the issue being reported.

Enough information for Apple to be able to reasonably reproduce the issue.

Maximizing Your Payout

To maximize your payout, keep in mind that Apple is particularly interested in issues that:

Affect multiple platforms.

Impact the latest publicly available hardware and software.

Are unique to newly added features or code in designated developer betas or public betas, including regressions, as noted on this page when available.

Impact sensitive components.

Are novel.

Additional Requirements

In addition to a complete report, issues that require the execution of multiple exploits, as well as one-click and zero-click issues, require a full chain for maximum payout. The chain and report must include:

Both compiled and source versions.

Everything needed to execute the chain.

A sample non-destructive payload, if needed.

Sending Your Report

Send your report by email to product-security@apple.com . Whenever possible, encrypt all communications with the Apple Product Security PGP Key. Include all relevant videos, crash logs, and system diagnosis reports in your email. If necessary, use Mail Drop to send large files.