Apple is announcing a major expansion and redesign of its bug bounty program, doubling maximum payouts, adding new research categories, and introducing a more transparent reward structure.
Since the program launched in 2020, Apple has awarded $35 million to 800 security researchers, the company paying $500,000 for some of the submitted reports.
The highest reward has been doubled to $2 million, for reporting vulnerabilities that can lead to zero-click (no user interaction) remote compromise, similar to mercenary spyware attacks. However, payouts can go as high as $5 million through the bonus system.
“This is an unprecedented amount in the industry and the largest payout offered by any bounty program we’re aware of - and our bonus system, providing additional rewards for Lockdown Mode bypasses and vulnerabilities discovered in beta software, can more than double this reward, with a maximum payout in excess of $5 million,” said Apple.
Other payouts increased or introduced under the new program scheme include:
One-click (user interaction) remote attack - $1,000,000
Wireless proximity attack - $1,000,000
Broad unauthorized iCloud access - $1,000,000
WebKit exploit chain leading to unsigned arbitrary code execution - $1,000,000
Attack on locked device with physical access - $500,000
... continue reading