If you want proof that Apple is taking iPhone security seriously, look no further than its new $2 million payout for its bug bounty program.
Compared to most companies, Apple has traditionally been somewhat stingy when it comes to rewarding individuals who unearth iPhone exploits. More recently, though, Apple has come to the realization that if it wants to discover and patch serious iPhone exploits before they get taken advantage of by malicious actors, it has to increase the rewards available to security researchers.
In light of the above, Apple recently made significant changes to its bug bounty program. On October 10, Apple announced that the top award for an iPhone exploit is now $2 million, compared to $1 million previously. Naturally, to get the $2 million, users will have to discover an exploit that “can achieve similar goals as sophisticated mercenary spyware attacks.” Apple boasts that the $2 million figure is the largest amount offered by any bug bounty program currently in existence. Apple adds that the $2 million payout can jump to $5 million if accompanied by other exploits like bypassing Lockdown Mode.
Additionally, Apple says that it’s boosting the payouts for other exploits. For example, a method to bypass Gatekeeper is now worth $100,000, while an exploit capable of unauthorized iCloud access now yields $1 million. On top of it all, Apple is expanding the scope of its bug bounty program to include more categories, including WebKit hacks and wireless proximity exploits.
Over the past five years, Apple notes that its bug bounty program has yielded more than $35 million in awards to over 800 hackers and researchers. Underscoring Apple’s commitment to make its bug bounty especially appealing is that it is now offering an avenue for researchers to receive awards on an accelerated track.
“We’re introducing Target Flags, a new way for researchers to objectively demonstrate exploitability for some of our top bounty categories, including remote code execution and Transparency, Consent, and Control (TCC) bypasses”, Apple writes. “Researchers who submit reports with Target Flags will qualify for accelerated awards, which are processed immediately after the research is received and verified, even before a fix becomes available.
