Apple is making significant increases to its bug bounty program, announcing a few huge changes at Black Hat 2019.
The top prize for the most serious category of iOS vulnerabilities (the type of which are often exploited as “zero-click” exploits) has been doubled from $1 million to $2 million, and they have opened the program up so that security researchers can show working, exploitable vulnerabilities in live phones or cloud setups without going through sandboxing systems like JTAG that reduce risk while walking back any potential financial gains.
All told, if a researcher finds just the right combination in his or her findings, then some bonuses Apple has added (and stacked) on top could push possible payments for submissions all the way up to $5 million dollars.
The move is a new ramping up of Apple’s effort to beat out exploit brokers and mercenary spyware vendors in bidding for the attention of elite researchers.
The company claims to have done so by paying out more than $35 million to more than 800 researchers since opening the program up broadly, and it is now adapting incentives to meet the growing complexity (and accompanying cost) of today’s iOS and macOS attack chains.
What Changed About Apple’s Bounty and New Top Rewards
The headline figure is $2 million for a vulnerability that allows for remote compromise, without any user interaction. These “zero-click” chains are the gem of offensive cyber arsenals and allow silent takeover of devices through messaging apps, wireless stacks or system services.
Apple has also increased fourfold to $1 million the maximum for proximity-based one-click attacks. Though the company says it has not seen a near-field attack that results in full device compromise yet, the increased ceiling is designed to do exactly what you’d expect: surface those edge-case scenarios across Bluetooth, NFC and similar vectors.
New category bumps aim to fill high-impact holes: $100,000 for a full Gatekeeper bypass on macOS of all types, and $1 million for unsanctioned access to iCloud (a bar no public exploit has ever cleared thus far), Apple writes. Bonuses can be cumulative, meaning that a zero-click exploit that also breaks Lockdown Mode and affects new features in beta software could theoretically command up to $5 million.
Lockdown Mode and a new Memory Integrity Enforcement feature on iPhone 17 and Air are some of the defensive improvements which Apple says raise the bar.
The message is this: if you can clear Apple’s latest mitigations with a high enough jump, the payday now matches.
Why Apple Is Upping the Ante on Bug Bounty Rewards
Apple points to the fact that there is mercenary spyware, which constructs multimillion-dollar chains of exploits that are frequently found in state-backed targeting. Groups like Citizen Lab and Amnesty Tech document routine abuses of commercial surveillance tools, and Apple ships Rapid Security Responses as a matter of course to block these capabilities.
By increasing rewards, Apple is seeking to tilt the economics of disclosure. When it becomes a competitive payment to report responsibly to a vendor, that’s less incentive for people to sell in an adversarial way (to black markets). Apple also presents the increase as acknowledgment that high-reliability, completely remote chains are just tougher to come by, and thus require longer and deeper research to create and replicate.
How It Compares With Other Programs and Payouts
On the upper echelon of platform vendors is Apple, with its new $2 million cap. Google’s Android Rewards Program, for instance, has given away seven-figure payouts for full Titan M exploit chains with persistence, whereas Microsoft’s highest awards usually fall in the six-figure category such as Hyper-V and the cloud.
In the gray market, exploitation company Zerodium has advertised multimillion-dollar bounty offers for mobile zero-days. Over in the crypto world, Immunefi has intermediated bounties totaling over $15 million for catastrophic smart contract bugs. Apple’s theoretical cap of $5 million through stacked bonuses is unusually aggressive for a consumer platform and shows that it plans to compete with both public and private buyers.
What Researchers Should Know Before Submitting
Precision matters. Highest-tier payments are directed at clear, reliable chains involving current releases but where details remain nonpublic until Apple is able to release a patch. Showing impact against Lockdown Mode, or that the vulnerability applies to new beta features, can unlock huge bonuses.
Apple notes that the new structure isn’t so much a response to cyber-arms dealers as it is an investment in coordinated vulnerability disclosure. For researchers, the practical takeaway is simple: The nearer your submission gets to being a turnkey, zero-click, defense-evading exploit on Apple’s latest devices and protections, the bigger the paycheck.
The Bigger Security Picture for Apple’s Bug Bounties
Apple’s overhauled bounty is a mix of carrot and signal. It rewards the most unlikely victories in defensive security and telegraphs faith in mitigations designed to price mercenary spyware out of everyday usability. It also nudges the whole industry toward transparency by making responsible disclosure more financially viable than a private sale.
Project Zero’s public research demonstrates just how fragile these brittle and increasingly long exploit chains have become as platform hardening increases. Apple’s payout hike runs counter to that trend. If the new ceiling can entice even a few top-tier submissions away from private brokers, the bottom line for users is obvious: fewer silent compromises, faster patches and a healthier vulnerability market.
For now, the entire world but the few can only look on at the first researcher to clear Apple’s new $2 million bar — and whether anyone manages to string together a chain that lays claim to all $5 million from a Lockdown Mode bypass and beta feature hit.
It tells you something, just that prospect, about how hotly contested the iOS and macOS attack surface has grown.
