All big tech companies have bounty programs for those who find vulnerabilities in their software. Applefor almost a decade. In 2016 offered up to $200,000; went up to 1 million in 2019 and now it has become the company What better reward this type of findings raising the maximum again. Ivan Krstićvice president of security engineering and architecture at Apple, announced last Friday at the security conference Hexaconheld in Paris, a reward of up to 2 million dollars by a chain of software exploits that can be used for spyware purposes.
The move demonstrates Apple’s interest in preventing a vulnerability from being used by cybercriminals. In addition to individual payments – that is, for each validated report – the program has a bonus system that offers additional prizes.
If a researcher submits a report demonstrating a chain of exploits capable of turning an iPhone into a spyware target, Apple will make a one-time payment for that discovery that can reach up to $2 million. If you also meet the bonus criteria – for example, if it was discovered during a beta and manages to overcome the Lockdown Mode defenses o iPhone Isolation Mode-, the single payment will increase.
Altogether, the maximum reward for a potentially catastrophic chain of vulnerabilities now amounts to 5 million dollarsthe highest figure in the industry. The changes will take effect next month.
‘We are prepared to pay many millions of dollars and there is a reason for that. We want to make sure that, in the most difficult categoriesin the most complex problems and in those that most resemble the attacks we see with mercenary spyware, Researchers who possess those skills and dedicate that time and effort can receive an extraordinary reward‘, noted Krstić.
Apple claims that more than 2,350 million of its devices are active worldwide. Their rewards program was born as an invitation-only initiative, but since it opened to the public in 2020, the company has distributed more than 35 million dollars among more than 800 security experts. Higher rewards are rare, although Krstić has confirmed that they have been awarded in recent years. several payments of $500,000.
In addition to raising the financial limits, Apple has expanded the program categories to include certain type exploits. one-click that can affect WebKitthe engine that the Safari browser uses, as well as wireless proximity vulnerabilities that are executed using any type of wireless signal. It also introduces a new modality called Target Flags that moves the format of Capture the Flag-type competitions to real tests on Apple software, allowing researchers quickly and conclusively demonstrate the effectiveness of their findings.
As the best payer for finding vulnerabilities, Apple clearly leadsfollowed by Googlewhich offers up to 1.5 million dollars in some cases. Goal pay up to $300,000while Microsoft reaches a maximum of $250,000.