Apple has announced updates to its bug bounty program that double the maximum reward to $2 million for researchers who discover critical security vulnerabilities, with total payouts potentially exceeding $5 million when bonuses are included. The company said the $2 million base reward represents “the largest payout offered by any bounty program” it is aware of in the technology industry.
Why Apple is offering ‘largest payout offered by any bounty program’
The maximum $2 million reward will be paid for “exploit chains that can achieve similar goals as sophisticated mercenary spyware attacks,” according to Apple's announcement. The company's bonus system can more than double this amount, with additional rewards available for vulnerabilities discovered in beta software and exploits that bypass Lockdown Mode, Apple's enhanced security feature. Combined, these bonuses can push total payouts above $5 million for a single discovery.
Apple is also increasing or doubling rewards across numerous other security categories to encourage more research. The company will now pay $100,000 for a complete Gatekeeper bypass. Gatekeeper is Apple's security feature that blocks unauthorized software on Mac computers.
Researchers who demonstrate broad unauthorised iCloud access will receive $1 million. Apple noted that no successful exploit has been demonstrated in this category to date.
The program is also adding coverage for new attack surfaces. One-click WebKit sandbox escapes will earn researchers up to $300,000. Wireless proximity exploits over any radio technology will be eligible for up to $1 million.
Apple introduces Target Flags system for faster payouts
Apple is introducing Target Flags, a system designed to help researchers objectively demonstrate exploitability in top bounty categories, including remote code execution and Transparency, Consent, and Control (TCC) bypasses.
Researchers who submit reports with Target Flags will qualify for accelerated awards. These payments will be processed immediately after the research is received and verified, even before Apple develops a fix for the vulnerability.
Why Apple is offering ‘largest payout offered by any bounty program’
The maximum $2 million reward will be paid for “exploit chains that can achieve similar goals as sophisticated mercenary spyware attacks,” according to Apple's announcement. The company's bonus system can more than double this amount, with additional rewards available for vulnerabilities discovered in beta software and exploits that bypass Lockdown Mode, Apple's enhanced security feature. Combined, these bonuses can push total payouts above $5 million for a single discovery.
Apple is also increasing or doubling rewards across numerous other security categories to encourage more research. The company will now pay $100,000 for a complete Gatekeeper bypass. Gatekeeper is Apple's security feature that blocks unauthorized software on Mac computers.
Researchers who demonstrate broad unauthorised iCloud access will receive $1 million. Apple noted that no successful exploit has been demonstrated in this category to date.
The program is also adding coverage for new attack surfaces. One-click WebKit sandbox escapes will earn researchers up to $300,000. Wireless proximity exploits over any radio technology will be eligible for up to $1 million.
Apple introduces Target Flags system for faster payouts
Apple is introducing Target Flags, a system designed to help researchers objectively demonstrate exploitability in top bounty categories, including remote code execution and Transparency, Consent, and Control (TCC) bypasses.
Researchers who submit reports with Target Flags will qualify for accelerated awards. These payments will be processed immediately after the research is received and verified, even before Apple develops a fix for the vulnerability.
You may also like
Festive Season Shopping: Smart Credit Card Tips to Avoid Falling into Debt This Diwali
Arne Slot sent clear message as finger pointed over Florian Wirtz's struggles
Iconic UK sleeper train between London and Scotland gets biggest change in 30 years
Retirement Planning Made Easy: How Much Money You'll Need After Retirement — Full Calculation Explained
"Bihar has been in state of ruin for 20 years": Congress leader Manoj Kumar slams NDA