Apple has significantly expanded its bug bounty program, doubling the top reward to $2 million for zero-click remote code execution vulnerabilities that require no user interaction. This unprecedented payout can even exceed $5 million when combined with bonuses for bypassing Lockdown Mode or finding flaws in beta software. The program also introduces new, high-value categories, offering $1 million each for one-click remote attacks, wireless proximity exploits, and broad unauthorized iCloud access.
The company noted it has never received valid reports for certain high-challenge categories, such as a complete Gatekeeper bypass without user interaction, highlighting areas for researcher focus. The wireless proximity award category has been expanded to include Apple's custom chips like the C1 and N1. Since its launch in 2020, the program has paid out $35 million to hundreds of security researchers.
Looking ahead, Apple plans to distribute a thousand secured iPhone 17 devices to at-risk civil society groups and researchers in 2026. These enhanced rewards are designed to incentivize the discovery and responsible reporting of sophisticated vulnerabilities, ultimately raising the cost for spyware vendors and improving security for all users.
Read more...