Apple has announced a major update and expansion of its bug bounty program. The company is doubling the maximum payouts for bug hunters, adding new categories to the program, and offering up to US$2 million for complex exploit chains.
The company reports that since launching its public bug bounty program in 2020, Apple has paid out more than $35 million to over 800 security researchers. Several specialists earned $500,000 each for the bugs they discovered.
Recently, Apple introduced Memory Integrity Enforcement (MIE) — an always-on memory protection for iPhone designed to counter sophisticated spyware attacks. The company believes such threats are dangerous to users and intends to strengthen the protection of its products against such attacks.
To that end, Apple is significantly increasing bounties for vulnerabilities that could be used in exploit chains for spyware attacks.
Thus, the maximum reward for a zero-click exploit chain that enables remote device compromise has increased from $1 million to $2 million. Apple emphasizes that this is the base payout — theoretically, researchers can earn up to $5 million, though this won’t be easy and will require bonuses for bypassing Lockdown Mode and finding bugs in beta versions of the software.
The company is also significantly increasing payouts for:
- application sandbox escape (from $150,000 to $500,000);
- attacks with physical access to a locked device (from $250,000 to $500,000);
- wireless attacks requiring physical presence (from $250,000 to $1 million);
- remote compromise that requires one-click user interaction (from $250,000 to $1 million).
Additionally, Apple announced that one-click attacks via the browser that require bypassing WebKit protections will be rewarded with up to $300,000 if they achieve code execution with a sandbox escape. The reward can rise to $1 million if the exploit chain also enables execution of unsigned code with arbitrary entitlements.
Bounties were also increased for categories where no exploits have been demonstrated yet, such as a Gatekeeper bypass on macOS ($100,000) and unauthorized access to iCloud ($1 million).
In addition to the above, Apple introduced the Target Flags system (similar to CTF competitions), designed to make it easier for bug hunters to demonstrate vulnerabilities and to understand what reward they can expect for a report.
“When researchers demonstrate security issues via Target Flags, the flag objectively reflects the achieved capability level — for example, register control, arbitrary read/write, or code execution — and directly determines the payout amount. This makes the reward process as transparent as possible,” Apple explains. “Since Target Flags are verified programmatically on our side, researchers will receive a reward notification immediately after the flag is validated.”
Target Flags are supported in iOS, iPadOS, macOS, visionOS, watchOS, and tvOS.
Apple also notes that for exceptional research with well-written reports, researchers will still receive bonuses, and low-impact bugs can now earn about $1,000 (intended to motivate researchers to keep reporting their findings).