Apple Increases Bug Bounty Maximum Payout to $2 Million

Apple has announced a significant enhancement to its bug bounty program, which has been in operation for nearly a decade. This update was unveiled by Ivan Krstić, Vice President of Security Engineering and Architecture, at the Hexacon offensive security conference held in Paris. The new maximum payout for identifying a series of software vulnerabilities that could be exploited for spyware has been raised to $2 million.

Enhanced Payout Structure

This decision by Apple illustrates the increasing importance of identifying and addressing exploitable vulnerabilities within its secure mobile ecosystem. The company strives to ensure such vulnerabilities do not fall into malicious hands. In addition to the headline-grabbing $2 million payout, Apple’s bug bounty structure includes potential bonuses: additional rewards may be granted for exploits that can circumvent the enhanced Lockdown Mode or for those found during the beta testing of Apple software. Altogether, the maximum possible award could reach an impressive $5 million.

Krstić emphasized the company’s commitment to incentivizing researchers skilled in navigating complex cybersecurity challenges. “We want to ensure that for the most difficult categories—those that closely resemble attacks seen from mercenary spyware—researchers who possess these abilities are rewarded significantly,” he stated.

Growth of the Bug Bounty Program

Since its inception as an invite-only initiative, Apple’s bug bounty program evolved into a public offering in 2020. The company reports having awarded over $35 million to over 800 security researchers worldwide. Although high-value payouts are uncommon, Krstić noted that there have been multiple instances of $500,000 awards in recent years.

Expanded Vulnerability Categories

With this latest update, Apple is also broadening the categories eligible for rewards. This expansion includes one-click "WebKit" browser exploits and wireless proximity vulnerabilities utilizing various radio technologies. A new addition, termed “Target Flags,” is designed to emulate capture-the-flag hacking competitions, allowing researchers to quickly and clearly demonstrate the capabilities of their exploits against Apple’s software.

Commitment to Security

Apple’s bug bounty program is part of a broader strategy aimed at mitigating severe vulnerabilities and preventing their exploitation. Recently, the company introduced the Memory Integrity Enforcement feature in the iPhone 17 series, which focuses on protecting high-risk groups, including activists and journalists. This feature aims to address the most commonly exploited categories of iOS vulnerabilities.

As part of its efforts to support at-risk individuals, Apple announced it will donate 1,000 iPhone 17 devices to organizations that assist people vulnerable to targeted cyber-attacks.

Krstić highlighted Apple’s moral obligation to safeguard its users, acknowledging that while the majority may never face such threats, the advancements made will enhance overall protection for all device users.

This strategic approach not only strengthens Apple’s cybersecurity measures but also reinforces its dedication to empowering researchers and enhancing user safety globally.