Apple announces ‘major evolution’ of its Security Bounty program: $2 million top award, more

Apple has announced what it describes as a “major evolution” of its Apple Security Bounty program. The company says the program has paid out more than $35 million to more than 800 security researchers so far. Today’s announcement touts the “next major chapter” for the program, including doubling the top award to $2 million for “exploit chains that can achieve similar goals as sophisticated mercenary spyware attacks.” Apple says the $2 million award is an “unprecedented amount in the industry and the largest payout offered by any bounty program we’re aware of.” It is also significantly increasing awards for other categories, including iCloud and Gatekeeper discoveries: We’re doubling our top award to $2 million for exploit chains that can achieve similar goals as sophisticated mercenary spyware attacks. This is an unprecedented amount in the industry and the largest payout offered by any bounty program we’re aware of — and our bonus system, providing additional rewards for Lockdown Mode bypasses and vulnerabilities discovered in beta software, can more than double this reward, with a maximum payout in excess of $5 million. We’re also doubling or significantly increasing rewards in many other categories to encourage more intensive research. This includes $100,000 for a complete Gatekeeper bypass, and $1 million for broad unauthorized iCloud access, as no successful exploit has been demonstrated to date in either category. Another change highlighted by Apple includes expanding bounty categories to cover new attack surfaces: Our bounty categories are expanding to cover even more attack surfaces. Notably, we’re rewarding one-click WebKit sandbox escapes with up to $300,000, and wireless proximity exploits over any radio with up to $1 million. Apple is also introducing Target Flags, which it describes as a “new way for researchers to objectively demonstrate exploitability for some of our top bounty categories.” We’re introducing Target Flags, a new way for researchers to objectively demonstrate exploitability for some of our top bounty categories, including remote code execution and Transparency, Consent, and Control (TCC) bypasses — and to help determine eligibility for a specific award. Researchers who submit reports with Target Flags will qualify for accelerated awards, which are processed immediately after the research is received and verified, even before a fix becomes available. Finally, Apple says it will provide a thousand iPhone 17 devices to civil society organizations that can get those devices into the hands of at-risk users, including “members of civil society who may be targeted by mercenary spyware.” In 2022, we made an unprecedented $10 million cybersecurity grant in support of civil society organizations that investigate highly targeted mercenary spyware attacks. Now, we are planning a special initiative featuring iPhone 17 with Memory Integrity Enforcement, which we believe is the most significant upgrade to memory safety in the history of consumer operating systems. To rapidly make this revolutionary, industry-leading defense available to members of civil society who may be targeted by mercenary spyware, we will provide a thousand iPhone 17 devices to civil society organizations who can get them into the hands of at-risk users. This initiative reflects our continued commitment to make our most advanced security protections reach those who need them most. Apple says the updates will go into effect in November 2025, when it will also publish the full breakdown of new and expanded categories, rewards, and bonuses on the Apple Security Research site. For now, you can read more details on Apple’s Security Research website. My favorite iPhone accessories: Follow Chance: Threads, Bluesky, Instagram, and Mastodon.