Apple doubles its largest bug bounty reward to $2 million

Apple is updating its Security Bounty program this November to supply among the highest rewards within the business. It has doubled its high award from $1 million to $2 million for the invention of “exploit chains that may obtain comparable objectives as subtle mercenary spyware and adware assaults” and which requires no person interplay. However the most attainable payout can exceed $5 million {dollars} for the invention of extra crucial vulnerabilities, akin to bugs in beta software program and Lockdown Mode bypasses. Lockdown Mode is an upgraded safety structure within the Safari browser.

As well as, the corporate is rewarding the invention of exploit chains with one-click person interplay with as much as $1 million as a substitute of simply $250,000. The reward for assaults requiring bodily proximity to units can now additionally go as much as $1 million, up from $250,000, whereas the utmost reward for assaults requiring bodily entry to locked units has been doubled to $500,000. Lastly, researchers “who reveal chaining WebContent code execution with a sandbox escape can obtain as much as $300,000.” Apple’s VP for safety engineering and structure Ivan Krstić informed Wired that the corporate has awarded over $35 million to greater than 800 safety researchers because it launched and expanded this system over the previous few years. Apparently, top-dollar payouts are very uncommon, however Apple has made a number of $500,000 payouts.

The corporate stated in its announcement that the one system-level iOS assaults it has noticed within the wild got here from mercenary spyware and adware, that are traditionally related to state actors and sometimes used to focus on particular people. It stated its new safety features like Lockdown Mode and Reminiscence Integrity Enforcement, which combats reminiscence corruption vulnerabilities, could make mercenary assaults tougher to tug off. Nonetheless, unhealthy actors will proceed evolving their methods, and Apple is hoping that updating its bounty program with greater payouts can “encourage extremely superior analysis on [its] most crucial assault surfaces regardless of the elevated issue.”