Apple has significantly escalated its bug bounty program, now offering a maximum payout of $2 million for software exploits that could facilitate spyware attacks. This announcement was made by Ivan Krstić, Apple’s vice president of security engineering and architecture, during the Hexacon offensive security conference held in Paris. The new threshold nearly doubles previous maximum rewards, which stood at $1 million as recently as 2019.
This decision underscores the critical importance of securing vulnerabilities within Apple’s highly fortified mobile ecosystem. By increasing the potential rewards, Apple aims to incentivize researchers to bring key security issues to light before they can be exploited maliciously. The company’s system also includes structured bonuses for exploits that break through its enhanced Lockdown Mode or are discovered during beta software testing, with total potential payouts for major vulnerabilities potentially reaching $5 million. These changes are set to take effect next month.
In a statement to WIRED, Krstić emphasized the company’s commitment to rewarding researchers who tackle the most challenging security problems, particularly those that resemble threats posed by mercenary spyware. Apple has acknowledged the growing risk of exploitable vulnerabilities within its ecosystem, a trend that further validates their approach to bolstering cybersecurity measures.
Apple currently has over 2.35 billion devices in active use worldwide. Initially an invite-only initiative for elite security experts, the bug bounty program opened to public participation in 2020 and has since awarded over $35 million to upwards of 800 researchers. While large payouts are infrequent, Krstić noted that the company has executed several $500,000 rewards in recent years, indicating a serious investment in cybersecurity research.
In addition to enhanced payouts, the program’s scope is broadening to encompass new categories of vulnerabilities, including specific one-click “WebKit” browser infrastructure exploits and wireless proximity attacks. Moreover, Apple is introducing a novel initiative called “Target Flags” to facilitate real-world evaluations of exploits, akin to capture the flag hacking competitions, enabling researchers to effectively demonstrate their findings.
Apple’s commitment to cybersecurity encompasses a variety of strategic investments aimed at mitigating the risk of pervasive vulnerabilities. Recently, the company unveiled a new security feature, Memory Integrity Enforcement, in its iPhone 17 lineup, designed to counter the most frequently exploited iOS vulnerabilities. This feature represents a proactive measure to protect not just individual users, but also at-risk groups such as activists and journalists, thus demonstrating a broader moral responsibility to safeguard users against digital threats.
Krstić underscored the reasoning behind these efforts, stating that while the targeted user groups constitute a small fraction of Apple’s customer base, the evidence of abuse by malicious actors remains compelling. He reiterated Apple’s dedication to enhancing overall security, suggesting that protective measures for vulnerable individuals ultimately benefit all users, increasing the resilience of the entire ecosystem.
In light of this evolving landscape, business owners must remain vigilant about cybersecurity risks. As adversaries refine their tactics—potentially employing methods classified under MITRE ATT&CK tactics such as initial access and privilege escalation—the role of robust security practices and proactive vulnerability management becomes ever more critical. By engaging with programs like Apple’s bug bounty, organizations can both contribute to a safer technological landscape and safeguard their own assets against emerging threats.
