Apple Boosts Bug Bounty to $2 Million for Critical Exploits
▼ Summary
– Apple has increased its maximum bug bounty payout to $2 million for software exploit chains that could enable spyware attacks.
– The company will now offer up to $5 million total for the most severe exploit chains, including bonuses for bypassing Lockdown Mode and finding bugs in beta software.
– Apple’s bug bounty program aims to attract top researchers to prevent critical vulnerabilities from being exploited by mercenary spyware groups.
– Since opening to the public in 2020, Apple has paid over $35 million to more than 800 security researchers worldwide.
– The program changes reflect the high value of vulnerabilities in Apple’s ecosystem, which protects over 2.35 billion active devices globally.
Apple is dramatically increasing its bug bounty rewards, now offering up to $2 million for critical exploit chains that could enable spyware attacks. This substantial increase, announced at the Hexacon security conference in Paris by Apple’s security chief Ivan Krstić, underscores the immense value the company places on securing its ecosystem of over 2.35 billion active devices. The new top reward represents a significant jump from previous maximums and is part of a broader strategy to incentivize security researchers to report the most severe vulnerabilities directly to Apple.
This strategic move highlights just how critical exploitable weaknesses are within Apple’s famously guarded mobile environment. The company is demonstrating a clear willingness to invest heavily to ensure these discoveries are reported responsibly, rather than being sold to malicious actors on the open market. Beyond the headline-grabbing $2 million figure, the program incorporates a bonus system that can substantially increase the final payout. Researchers can earn extra rewards for exploits that successfully circumvent the ultra-secure Lockdown Mode or for vulnerabilities found during Apple’s beta testing phases. When all potential bonuses are combined, a single, catastrophic exploit chain could now net a researcher a staggering $5 million. These updated reward tiers are scheduled to become active next month.
Krstić emphasized the rationale behind these multi-million-dollar incentives. The goal is to ensure that for the most challenging security problems, those that closely resemble the sophisticated attacks deployed by mercenary spyware firms, the talented researchers who dedicate their skills and time receive a reward that truly reflects the gravity of their findings. Apple wants to create a powerful financial motivation for experts to work with the company directly.
While the program initially launched as an exclusive, invitation-only initiative for a select group of elite researchers, it was opened to the public in 2020. Since that expansion, Apple has distributed more than $35 million in rewards to over 800 security specialists around the globe. Although the multi-million-dollar payouts will understandably be rare, the company has already proven its commitment to high-value rewards, having issued several $500,000 payments in recent years.
(Source: Ars Technica)
