Apple doubles its top bug bounty to $2 million – payouts can now exceed $5 million
But Apple says only a rare few earn the top rewards
by Rob Thubron · TechSpotServing tech enthusiasts for over 25 years.
TechSpot means tech analysis and advice you can trust.
What just happened? Want to get hold of up to $5 million without winning the lottery? That's how much Apple will be offering in its bug bounty scheme, doubling the top award from $1 million to $2 million. Since opening the program to the public in 2020, Apple said it has awarded more than $35 million to more than 800 security researchers. But as you'd expect, very few people earn the highest payouts.
Five years ago, Apple opened its bug bounty program to all security researchers, having previously been invitation-only and limited to iOS vulnerabilities. As part of this change, the maximum reward was increased from $200,000, which it had been since 2016, up to $1 million.
Now, Apple says it will be updating its Security Bounty program this November, including increasing the maximum payout to $2 million. The amount will be awarded for the discovery of exploit chains that can achieve similar goals as sophisticated mercenary spyware attacks and which require no user interaction.
Two million dollars is no small sum, but Apple also includes a bonus structure for discovering additional critical vulnerabilities, meaning the maximum possible payout is more than $5 million.
Cupertino is increasing the payouts for other discoveries. Rewards for exploit chains with one-click user interaction have quadrupled from $250,000 to $1 million, as has the payout for attacks requiring physical proximity to devices. The top reward for attacks requiring physical access to locked devices has doubled from $250,000 to $500,000. And if you're a researcher who can demonstrate chaining WebContent code execution with a sandbox escape, you could get up to $300,000.
They're impressive figures. However, Apple's VP for security engineering and architecture Ivan Krstić told Wired that the top payouts are very rare, but it has made multiple $500,000 payments in recent years.
In addition to the increased rewards, Apple is making it easier for researchers to objectively demonstrate their findings. Its new Target Flags feature, inspired by capture-the-flag competitions, is built into its operating systems. It allows the company to rapidly review an issue and process a resulting reward, even before a fix is released.
// Related Stories
- Unity patches 8-year-old security flaw affecting thousands of games
- What was the first bug bounty program offered by a major tech company?
Apple says that there are more than 2.35 billion of its devices worldwide. The company has long prided itself on the robustness and security of its products, hence the high bug-bounty rewards. It emphasizes that the only system-level iOS attacks observed in the wild came from mercenary spyware – extremely sophisticated exploit chains, usually associated with state actors, that cost millions of dollars to develop and are used against a very small number of targeted individuals.