Apple announced an update to its Security Bounty program, increasing financial rewards for security researchers. The changes are intended to encourage advanced research into vulnerabilities targeted by sophisticated mercenary spyware that requires no user interaction.
The program’s top award has doubled from $1 million to $2 million for discovering exploit chains achieving goals similar to sophisticated mercenary spyware attacks that require no user interaction. The maximum possible payout can exceed $5 million for identifying more critical vulnerabilities, such as bugs in beta software or methods that bypass Lockdown Mode, an upgraded security architecture in the Safari browser.
Other reward categories also saw increases. The program now offers updated payouts for several types of vulnerability discoveries:
- One-click user interaction: Rewards for exploit chains requiring a single click from the user increased to a maximum of $1 million, up from $250,000.
- Physical proximity attacks: The reward for attacks that necessitate physical proximity to a device was also raised to a ceiling of $1 million, an increase from $250,000.
- Physical access attacks: For attacks requiring physical access to a locked device, the maximum reward has been doubled to $500,000.
- WebContent execution: Researchers who demonstrate chaining WebContent code execution with a sandbox escape are eligible to receive up to $300,000.
Since the program’s introduction and expansion, Apple has awarded over $35 million to more than 800 security researchers, according to Ivan Krstić (via Wired), the company’s VP for security engineering and architecture. While top-dollar payouts are very rare, Apple has made multiple $500,000 payouts.
Apple stated in its announcement that the only system-level iOS attacks observed in the wild have come from mercenary spyware, an attack type historically associated with state actors and typically used to target specific individuals. New security features, including Lockdown Mode and Memory Integrity Enforcement, are designed to make such attacks more difficult by combating memory corruption vulnerabilities. Apple is hoping that updating its bounty program with bigger payouts can “encourage highly advanced research on its most critical attack surfaces despite the increased difficulty.”
