You must not disrupt, compromise, or otherwise damage data or property owned by other parties. This includes attacking any devices or accounts other than your own (or those for which you have explicit, written permission from their owners), and using phishing or social engineering techniques.
You must not disrupt Apple services.
Immediately both stop your research and notify Apple using the reporting process before any of the following occur:
You access any accounts or data other than your own (or those for which you have explicit, written permission from their owners).
You disrupt any Apple service.
You access systems related to Apple Pay. Apple Pay is not in scope of the Apple Security Bounty program.
You access a non-customer-facing Apple system. Examples of customer-facing Apple systems include iCloud, Apple ID, Managed Apple ID, App Stores, Apple Music, Apple News+, Apple TV+, Apple Arcade, Apple Maps, iMessage, FaceTime, IDS, and APNs.
You must comply with all applicable laws, including local laws of the country or region in which you reside or in which you download or use Apple software or services.
Apple Security Bounty payments are granted solely at the exclusive discretion of Apple.
Apple Security Bounty payments may not be issued to you if you are (a) in any U.S. embargoed countries or (b) on the U.S. Treasury Department’s list of Specially Designated Nationals or the U.S. Department of Commerce Denied Person’s List or Entity List or any other restricted party lists.
You are responsible for the payment of all applicable taxes.
A participant in the Apple Security Bounty program (“ASB Participant”) will not be deemed to be in breach of applicable Apple license provisions which provide that a user of Apple software may not copy, decompile, reverse engineer, disassemble, attempt to derive the source code of, decrypt, modify, or create derivative works of such Apple software, for in scope actions performed by that ASB Participant where all of the following are met:
The actions were performed during good-faith security research, which was — or was intended to be — responsibly reported to Apple;
The actions were performed strictly during participation in the Apple Security Bounty program; and
Neither the actions nor the ASB Participants have otherwise violated these policies such as violating legal requirements 1, 2, and 3, above.