Apple Bug Bounty

Products

• Device attack via physical access
  • Lock Screen bypass
  • User data extraction
• Device attack via user-installed app
  • Unauthorized access to sensitive data
  • Elevation of privilege
• Network attack with user interaction
  • One-click unauthorized access to sensitive data
  • One-click with elevation of privilege
• Network attack without user interaction
  • Zero-click radio to kernel with physical proximity
  • Zero-click unauthorized access to sensitive data
  • Zero-click kernel code execution with persistence and kernel PAC bypass
• Beta Software: Issues that are unique to newly added features or code in developer and public beta releases, including regressions
• Lockdown Mode: Issues that bypass the specific protections of Lockdown Mode

Services

• iCloud
  • Unauthorized access to iCloud account data on Apple servers
• Remote Code Execution
  • Command injection, deserialization bugs, XXE leading to RCE
• Logic flaw bugs leaking or bypassing significant security controls
  • Direct object reference, remote user impersonation, account takeover, privilege escalation, IDOR, directory traversal, HTTP request smuggling, proxy misconfiguration leading to bypass of security controls
• Unrestricted file system or database access
  • Unsandboxed XXE, SQL injection
• Code execution on the client/server
  • Stored/DOM/Blind XSS, CSRF, SSR, HTML injection (more than phishing) or having write access authorization when prohibited
• Confidential or sensitive data
  • Generalized access control issues leading to exposure of PII
• Domain and subdomain takeovers
  • DNS zone, domain, and subdomain takeovers