Since launching its bug bounty program nearly a decade ago, Apple has consistently promoted notable maximum payouts: $200,000 in 2016 and $1 million in 2019. Now the company is upping the ante again. At the Hexacon offensive security conference in Paris on Friday, Apple vice president of security engineering and architecture Ivan Krstić announced a new maximum payout of $2 million for a series of software exploits that can be exploited for spyware.
This move reflects just how valuable exploitable vulnerabilities can be within Apple's highly secure mobile environment – and the lengths the company will go to to prevent such discoveries from falling into the wrong hands. In addition to individual payouts, the company's bug bounty also includes a bonus structure, adding extra rewards for exploits that can bypass the extra-secure Lockdown Mode, as well as exploits discovered while Apple software is still in beta testing. All told, the maximum reward for what would otherwise be a potentially catastrophic exploitation chain will now be $5 million. The changes will take effect next month.
“We are lining up here to pay many millions of dollars, and there is a reason for that,” Krstić tells WIRED. “We want to make sure that for the toughest categories, the toughest problems, the things that most closely resemble the kind of attacks we see with mercenary spyware, the researchers who have those skills and capabilities and who put in the effort and time can get a huge reward.”
Apple says there are more than 2.35 billion of its devices active worldwide. The company's bug bounty was originally an invitation-only program for leading researchers, but since opening to the public in 2020, Apple says it has awarded more than $35 million to more than 800 security researchers. High dollar payouts are very rare, but Krstić says the company has paid out $500,000 several times in recent years.
