Apple is significantly raising the stakes in its bug bounty program, now offering a maximum payout of $2 million for critical software exploits, announced by Vice President Ivan Krstić at the Hexacon offensive security conference in Paris. This new reward can be part of a larger maximum total of $5 million when combined with additional bonuses for exploits that bypass the company’s secure Lockdown Mode or for vulnerabilities discovered during the beta phase of its software.
Since the inception of its bug bounty program about a decade ago, Apple has steadily increased its maximum payouts, offering $200,000 in 2016 and $1 million in 2019. This latest increase underscores the rising importance of protecting Apple’s ecosystem from the growing threats of spyware and other malicious exploits. Krstić noted that the company is prepared to pay millions to ensure that the most significant vulnerabilities are found and reported rather than exploited by malicious actors.
Apple claims to have over 2.35 billion devices active worldwide and has awarded more than $35 million to over 800 researchers since making the program public in 2020. Higher payouts, however, are rare. Besides announcing the increased monetary rewards, Apple broadened the scope of its bug bounty to encompass categories like one-click WebKit browser infrastructure exploits, and wireless proximity exploits through radio. A new feature termed “Target Flags” allows researchers to demonstrate their exploit capabilities in a capture-the-flag style competition.
These initiatives, along with recent security upgrades in the new iPhone 17 lineup aimed at thwarting frequent iOS vulnerabilities, reflect Apple’s commitment to enhancing security for its users. The company is especially focused on protecting vulnerable groups such as activists and journalists. Krstić emphasized a moral responsibility to defend those at risk from spyware, even if most users are not directly targeted. Additionally, Apple is contributing by donating iPhone 17s to rights organizations that aid users susceptible to digital attacks.
