Apple
Premium consumer technology company behind iPhone, Mac, iPad, and services like iCloud, Apple Pay, and the App Store.
https://apple.comMax Reward
$2,000,000
Total Paid
$20,000,000
Resolved
456
Avg Response
5 days
In-Scope Assets
iOS / iPadOS
Mobile operating systems and built-in apps
macOS
Desktop operating system and system services
iCloud
Cloud storage, sync, and authentication services
Apple Pay / Wallet
Payment processing and digital wallet
Out of Scope
- ✕ Physical hardware attacks
- ✕ Third-party App Store applications
- ✕ Social engineering
Severity Levels & Rewards
RCE, authentication bypass, privilege escalation, fund extraction
Stored XSS, CSRF with impact, API abuse, data manipulation
Reflected XSS, data leakage, logic flaws, information disclosure
Verbose errors, minor config issues, low-impact info disclosure
Active Bounties (2)
| ID | Title | Severity | Status | Reward | Submissions |
|---|---|---|---|---|---|
| AAPL-001 | iCloud authentication bypass via manipulated recovery flow | Critical | Open | $50,000–$200,000 | 0 |
| AAPL-002 | Kernel memory disclosure in macOS Bluetooth stack | High | In Review | $25,000–$100,000 | 2 |
Rules of Engagement
• Do not access, modify, or delete data belonging to other users.
• Do not perform denial-of-service attacks or automated scanning at high volume.
• Report vulnerabilities promptly and provide sufficient detail to reproduce.
• Allow reasonable time for fix before public disclosure (90 days).
• Safe harbor: We will not pursue legal action against researchers acting in good faith within these rules.