Apple has announced major updates to its bug bounty program, significantly increasing the rewards available to security researchers. This move is part of Apple’s ongoing effort to bolster the security of its products, particularly against sophisticated attacks like those from mercenary spyware vendors. The company believes these types of attacks are the most significant threat to its customers. By raising the financial incentives, Apple hopes to attract more outside talent to help find and fix critical vulnerabilities.
The highest reward for a zero-click exploit chain that achieves remote device compromise has been doubled from $1 million to $2 million. However, Apple has also made it theoretically possible for a researcher to earn as much as $5 million by including bonuses for bypassing Lockdown Mode or for vulnerabilities found in beta software. While this top-tier payout is considered difficult to achieve, it highlights Apple’s commitment to recognizing and rewarding the most impactful security research.
In addition to the top reward, Apple has also increased payouts across several other categories. For instance, the reward for an application sandbox escape has jumped from $150,000 to $500,000. Wireless attacks requiring physical proximity and remote hacking that requires one-click user interaction now both offer up to $1 million, a significant increase from their previous $250,000. These changes aim to incentivize researchers to focus on a wide range of security weaknesses, from physical access exploits to web browser vulnerabilities.
A new feature called Target Flags has been introduced to make the submission and reward process more transparent and efficient. Similar to flags in capture-the-flag competitions, these flags allow researchers to objectively demonstrate their findings. When a researcher’s report includes a captured flag, it provides verifiable proof of the exploit’s capability, such as arbitrary code execution. This allows Apple to immediately validate the finding and notify the researcher of their bounty award, making the process faster and more transparent than ever.
These updates apply to all of Apple’s major operating systems, including iOS, macOS, and watchOS. The company is also offering rewards for categories where no exploits have been demonstrated yet, such as a Gatekeeper bypass on macOS and unauthorized iCloud access, with potential payouts of $100,000 and $1 million, respectively. Apple will also continue to award bonuses for exceptional research and has even decided to provide a minimum reward of $1,000 for low-impact vulnerabilities to encourage continued reporting. The new payout structure is set to take effect in November 2025.
Reference:
