Since the initiation of its bug bounty initiative almost ten years ago, Apple has consistently emphasized significant maximum rewards—$200,000 in 2016 and $1 million in 2019. Now, the corporation is raising the bar once more. During the Hexacon offensive security conference in Paris on Friday, Apple’s vice president of security engineering and architecture, Ivan Krstić, revealed a new maximum payout of $2 million for a series of software vulnerabilities that could be exploited for spyware.
This decision underscores the significant worth of exploitable weaknesses in Apple’s tightly controlled mobile ecosystem—and the measures the company is willing to take to prevent such findings from getting into undesirable hands. Besides individual rewards, the firm’s bug bounty also features a bonus scheme, offering additional accolades for exploits that can circumvent its extra secure Lockdown Mode as well as those uncovered while Apple software remains in its beta testing stage. In total, the maximum reward for what could otherwise be a potentially disastrous exploit sequence will reach $5 million. These modifications will be effective next month.
“We are preparing to distribute many millions of dollars here, and there’s a rationale,” Krstić informs WIRED. “We aim to ensure that for the most challenging categories, the toughest issues, the ones that most closely resemble the types of attacks we encounter from mercenary spyware—that the researchers possessing those skills and dedication, who invest that effort and time, can receive a significant reward.”
Apple reports that there are over 2.35 billion of its devices in use globally. The company’s bug bounty was initially an invitation-only program for top researchers, but since becoming public in 2020, Apple claims to have distributed more than $35 million to over 800 security experts. High-value payouts are quite uncommon, yet Krstić mentions that the company has issued multiple $500,000 rewards in recent years.
