Apple doubles its greatest bug bounty reward to $2 million

Apple is updating its Security Bounty program this November to supply a number of the highest rewards within the trade. It has doubled its high award from $1 million to $2 million for the invention of “exploit chains that may obtain comparable objectives as refined mercenary spy ware assaults” and which requires no person interplay. However the most potential payout can exceed $5 million {dollars} for the invention of extra vital vulnerabilities, corresponding to bugs in beta software program and Lockdown Mode bypasses. Lockdown Mode is an upgraded safety structure within the Safari browser.

As well as, the corporate is rewarding the invention of exploit chains with one-click person interplay with as much as $1 million as an alternative of simply $250,000. The reward for assaults requiring bodily proximity to units can now additionally go as much as $1 million, up from $250,000, whereas the utmost reward for assaults requiring bodily entry to locked units has been doubled to $500,000. Lastly, researchers “who display chaining WebContent code execution with a sandbox escape can obtain as much as $300,000.” Apple’s VP for safety engineering and structure Ivan Krstić instructed Wired that the corporate has awarded over $35 million to greater than 800 safety researchers because it launched and expanded this system over the previous few years. Apparently, top-dollar payouts are very uncommon, however Apple has made a number of $500,000 payouts.

The corporate stated in its announcement that the one system-level iOS assaults it has noticed within the wild got here from mercenary spy ware, that are traditionally related to state actors and sometimes used to focus on particular people. It stated its new security measures like Lockdown Mode and Reminiscence Integrity Enforcement, which combats reminiscence corruption vulnerabilities, could make mercenary assaults tougher to drag off. Nevertheless, unhealthy actors will proceed evolving their strategies, and Apple is hoping that updating its bounty program with greater payouts can “encourage extremely superior analysis on [its] most crucial assault surfaces regardless of the elevated issue.”