Apple has announced updates to its bug bounty program that double the maximum reward to $2 million for researchers who discover critical security vulnerabilities, with total payouts potentially exceeding $5 million when bonuses are included. The company said the $2 million base reward represents “the largest payout offered by any bounty program” it is aware of in the technology industry.
Why Apple is offering ‘largest payout offered by any bounty program’
The maximum $2 million reward will be paid for “exploit chains that can achieve similar goals as sophisticated mercenary spyware attacks,” according to Apple's announcement. The company's bonus system can more than double this amount, with additional rewards available for vulnerabilities discovered in beta software and exploits that bypass Lockdown Mode, Apple's enhanced security feature. Combined, these bonuses can push total payouts above $5 million for a single discovery.
Apple is also increasing or doubling rewards across numerous other security categories to encourage more research. The company will now pay $100,000 for a complete Gatekeeper bypass. Gatekeeper is Apple's security feature that blocks unauthorized software on Mac computers.
Researchers who demonstrate broad unauthorised iCloud access will receive $1 million. Apple noted that no successful exploit has been demonstrated in this category to date.
The program is also adding coverage for new attack surfaces. One-click WebKit sandbox escapes will earn researchers up to $300,000. Wireless proximity exploits over any radio technology will be eligible for up to $1 million.
Apple introduces Target Flags system for faster payouts
Apple is introducing Target Flags, a system designed to help researchers objectively demonstrate exploitability in top bounty categories, including remote code execution and Transparency, Consent, and Control (TCC) bypasses.
Researchers who submit reports with Target Flags will qualify for accelerated awards. These payments will be processed immediately after the research is received and verified, even before Apple develops a fix for the vulnerability.
Why Apple is offering ‘largest payout offered by any bounty program’
The maximum $2 million reward will be paid for “exploit chains that can achieve similar goals as sophisticated mercenary spyware attacks,” according to Apple's announcement. The company's bonus system can more than double this amount, with additional rewards available for vulnerabilities discovered in beta software and exploits that bypass Lockdown Mode, Apple's enhanced security feature. Combined, these bonuses can push total payouts above $5 million for a single discovery.
Apple is also increasing or doubling rewards across numerous other security categories to encourage more research. The company will now pay $100,000 for a complete Gatekeeper bypass. Gatekeeper is Apple's security feature that blocks unauthorized software on Mac computers.
Researchers who demonstrate broad unauthorised iCloud access will receive $1 million. Apple noted that no successful exploit has been demonstrated in this category to date.
The program is also adding coverage for new attack surfaces. One-click WebKit sandbox escapes will earn researchers up to $300,000. Wireless proximity exploits over any radio technology will be eligible for up to $1 million.
Apple introduces Target Flags system for faster payouts
Apple is introducing Target Flags, a system designed to help researchers objectively demonstrate exploitability in top bounty categories, including remote code execution and Transparency, Consent, and Control (TCC) bypasses.
Researchers who submit reports with Target Flags will qualify for accelerated awards. These payments will be processed immediately after the research is received and verified, even before Apple develops a fix for the vulnerability.
You may also like
Tennessee explosion LIVE: Multiple dead and more missing after munitions plant blast
The Woman in Cabin 10 ending explained: Who is the woman?
In shocking move, French President Macron reappoints Sebastien Lecornu as PM
Martin Lewis urges anyone who bought a car from 2007-2024 to act now - 'Owed hundreds'
Dad-of-three killed after jet hose exploded and hit face as company fined £800k
