In November, Apple is updating its security researcher reward program: the company will pay up to $2 million for click-free attack chains, and for individual supercritical bugs, in particular in beta versions or when bypassing Lockdown Mode, the total reward may exceed $5 million.
In November, Apple is updating its security researcher reward program: the company will pay up to $2 million for click-free attack chains, and for individual supercritical bugs, in particular in beta versions or when bypassing Lockdown Mode, the total reward may exceed $5 million.
As Engadget reports , Apple has announced changes to its vulnerability bounty program and detailed the new amounts. The highest base payout has been doubled from $1 million to $2 million for zero-click exploit chains that achieve goals similar to commercial spyware attacks. In some scenarios, the total amount can reach more than $5 million, if the flaw found affects, for example, beta software or allows you to bypass the enhanced Lockdown Mode protection in Safari.
Other categories have also been increased. Chains that require a single user click are now up to $1 million instead of $250,000. Attacks from close physical distance can also be awarded up to $1 million (up from $250,000). The maximum for vulnerabilities that require physical access to a locked device has increased to $500,000. Separately, Apple is paying up to $300,000 for demonstrating code execution in the WebContent component in conjunction with exiting the sandbox.
The company emphasizes that the iOS system attacks it has seen in the field have come from spyware tools associated with government agencies. New protection mechanisms, including Lockdown Mode and Memory Integrity Enforcement, make it more difficult to exploit common memory flaws, but attackers are adapting. Therefore, the increased payouts should incentivize deep research into the most critical attack surfaces despite their increasing complexity.
According to Ivan Krstic, Apple’s vice president of security, the company has paid out more than $35 million to more than 800 researchers since the program was launched and expanded. Maximum checks are rare, but Apple has repeatedly awarded $500,000 for findings when researchers showed reliably reproducible chains with minimal footprint.
Apple last revised its bounty cap to $1 million for zero-click attacks, so the current doubling, along with separate bonuses for beta bugs and bypassing security measures, makes it one of the highest in the industry. The focus is on complex, multi-step chains that are similar to tools used in spyware campaigns, rather than isolated, minor flaws. The company hopes the increased payouts will speed up responsible disclosures and help close critical holes before real attackers exploit them.
Previously, dev.ua wrote about how Apple is preparing a big wave of new products. According to Bloomberg journalist Mark Gurman, the company is approaching mass production of the MacBook Air and MacBook Pro with M5 series chips, and by the end of the year it plans to update the iPad Pro and launch a new version of the Vision Pro.
