Six white-hat hackers spent a few months on Apple’s bug bounty program:

There were a total of 55 vulnerabilities discovered with 11 critical severity, 29 high severity, 13 medium severity, and 2 low severity reports. These severities were assessed by us for summarization purposes and are dependent on a mix of CVSS and our understanding of the business related impact.

This is a report of their findings: how they did it, vulnerabilities found, and how Apple responded to each one.