Apple doubles its largest bug bounty reward to $2 million

Apple is updating its Security Bounty program this November to supply a few of the highest rewards within the trade. It has doubled its prime award from $1 million to $2 million for the invention of “exploit chains that may obtain related objectives as subtle mercenary adware assaults” and which requires no person interplay. However the most attainable payout can exceed $5 million {dollars} for the invention of extra essential vulnerabilities, similar to bugs in beta software program and Lockdown Mode bypasses. Lockdown Mode is an upgraded safety structure within the Safari browser.

As well as, the corporate is rewarding the invention of exploit chains with one-click person interplay with as much as $1 million as an alternative of simply $250,000. The reward for assaults requiring bodily proximity to units can now additionally go as much as $1 million, up from $250,000, whereas the utmost reward for assaults requiring bodily entry to locked units has been doubled to $500,000. Lastly, researchers “who display chaining WebContent code execution with a sandbox escape can obtain as much as $300,000.” Apple’s VP for safety engineering and structure Ivan Krstić informed Wired that the corporate has awarded over $35 million to greater than 800 safety researchers because it launched and expanded this system over the previous few years. Apparently, top-dollar payouts are very uncommon, however Apple has made a number of $500,000 payouts.

The corporate mentioned in its announcement that the one system-level iOS assaults it has noticed within the wild got here from mercenary adware, that are traditionally related to state actors and sometimes used to focus on particular people. It mentioned its new security measures like Lockdown Mode and Reminiscence Integrity Enforcement, which combats reminiscence corruption vulnerabilities, could make mercenary assaults tougher to tug off. Nevertheless, unhealthy actors will proceed evolving their strategies, and Apple is hoping that updating its bounty program with larger payouts can “encourage extremely superior analysis on [its] most important assault surfaces regardless of the elevated problem.”