The Bounty program was previously an invitation-only club as explained in details on this 9to5mac’s article, now it’s open for anyone who finds potential catastrophic bugs.
There are some certain rules though, as described on the Eligibility section:
In order to be eligible for an Apple Security Bounty, the issue must occur on the latest publicly available versions of iOS, iPadOS, macOS, tvOS, or watchOS with a standard configuration and, where relevant, on the latest publicly available hardware. These eligibility rules are meant to protect customers until an update is available, ensure Apple can quickly verify reports and create necessary updates, and properly reward those doing original research.
- Be the first party to report the issue to Apple Product Security.
- Provide a clear report, which includes a working exploit (detailed below).
- Not disclose the issue publicly before Apple releases the security advisory for the report. (Generally, the advisory is released along with the associated update to resolve the issue).
The payouts varies from Unauthorized access to iCloud account data on Apple Servers with a $100,000 tag to a Zero-click kernel code execution with persistence and kernel PAC bypass tagging $1,000,000. Issues found in beta releases can spike up the payment with a bonus of 50%.
A great add-on is that Apple will match the bounty payment to donations to charities.