Apple has announced an open bug bounty program. Until now, Apple's bug bounty program was limited to selected researchers who received an invitation from Apple. That private bug bounty program only accepted reports for iOS. The new program is open to all security researchers and covers iPadOS, macOS, tvOS, watchOS, and iCloud.
The maximum bug bounty award under the new program is $1.5 million. Bounties under the previous program were capped at $200,000. Apple has published program rules which describe the program, covers eligibility, lists categories, and maximum payout per category.
Bounties are based on "level of access or execution achieved by the reported issue, modified by the quality of the report." Even if a report falls outside of one of the published categories, the payout will still be possible if the issue report has a significant impact on users.
In addition to bounties and general rules, Apple published four requirements to qualify as a "complete report". They include a detailed description of the issue, prerequisites and steps to get a system to the impacted state, reasonably reliable exploit for the reported issue, and ample information for apple to reproduce the issue. Check out the Apple Security Bounty site to learn more.