Apple announced that it willUpdated its Security Bounty vulnerability reward program, and significantly increased the bonus cap, making it one of the highest-rewarded cybersecurity programs in the industry.
Under the new system, a single vulnerability that can achieve the effects of a "mercenary-grade spyware" attack and can be exploited without user interaction can receive a reward of up to $200 million. If the vulnerability discovered by the researcher involves a beta version or can bypass the lockdown mode protection mechanism, the reward can be as high as $500 million.
Expand the scope of rewards to encourage offensive and defensive research
In addition to increasing rewards for zero-click exploits, Apple has also adjusted the bounty thresholds for other vulnerability types. For example, an exploit chain that can be triggered with a single click can earn up to $100 million (up from $25). Attacks that require physical proximity to the device have been increased to $100 million. Meanwhile, the reward for exploits that require physical contact and can crack a locked device has doubled to $50.
In addition, if researchers can demonstrate a vulnerability chain that combines web content code execution with sandbox escape, they can receive a reward of up to $30.
Ivan Krstić, Apple's vice president of security engineering and architecture, revealed that since the program was launched, the company has awarded more than $3500 million in bonuses to more than 800 security researchers, including several major bonuses of $50, but the highest bonuses are still extremely rare.
Countering nation-state attacks and spyware threats
Apple pointed out that most of the iOS system-level attacks currently observed come from "mercenary-level spyware groups" with state backgrounds or collaborating with governments. Such attacks often target specific political, journalistic or human rights-related targets and are highly covert and sophisticated.
To this end, Apple continues to introduce new protection architectures such as lockdown mode and Memory Integrity Enforcement into the system to reduce the risk of memory corruption and remote penetration.
However, Apple also acknowledged that as attack methods continue to evolve, the difficulty of defense continues to increase. By expanding the reward mechanism, the company hopes to attract more senior security experts to conduct research on core attack surfaces and further improve the overall protection level of iOS and macOS.
Establish the world's most stringent security line of defense
Since Apple officially launched its bug bounty program in 2019, it has gradually transitioned from internal testing to full access to the global security community. This adjustment not only increases the bounty amount but also demonstrates Apple's commitment to repositioning its security defenses in the AI era.
Faced with an increasingly complex digital attack ecosystem, Apple hopes to attract more "white hat hackers" with high rewards to invest in research and strengthen system security from an attacker's perspective. For the industry, this is not just a strengthening of enterprise protection, but a substantial investment in the entire cybersecurity ecosystem.
