Apple is updating its Security Bounty program in November to offer some of the highest rewards in the industry. It doubled its largest reward from $1 million to $2 million for discovering “exploit chains capable of achieving objectives similar to those of sophisticated mercenary spyware attacks” and that require no user interaction. But the maximum possible payout can exceed $5 million for discovering more critical vulnerabilities, such as bugs in beta software and lock mode bypasses. Lockdown mode is an enhanced security architecture in the Safari browser.
Additionally, the company rewards the discovery of exploit chains by offering one-click user interaction for up to $1 million instead of just $250,000. The reward for attacks requiring physical proximity to devices can now also be up to $1 million, up from $250,000, while the maximum reward for attacks requiring physical access to locked devices has been doubled to $500,000. Finally, researchers “who demonstrate sequencing WebContent code execution with a sandbox escape can receive up to $300,000.” Ivan Krstić, Apple’s vice president for security engineering and architecture, said Wired that the company has awarded more than $35 million to more than 800 security researchers since it introduced and expanded the program over the past several years. Apparently larger payments are very rare, but Apple has made several payments of $500,000.
The company said in its announcement that the only system-level iOS attacks it has observed in the wild have come from mercenary spyware, historically associated with state actors and typically used to target specific individuals. It said its new security features such as Lockdown Mode and Memory Integrity Hardening, which combat vulnerabilities related to memory corruption, can make mercenary attacks more difficult to carry out. However, bad actors will continue to evolve their techniques, and Apple hopes that updating its bounty program with larger payouts can “encourage highly advanced research into [its] most critical attack surfaces despite the increased difficulty.
