Apple ups the reward for finding major exploits to $2 million

Apple has significantly increased the stakes in its bug bounty program, now offering a maximum payout of $2 million for discovering a chain of software exploits that could potentially be used for spyware. This announcement was made by Ivan Krstić, Apple's vice president of security engineering and architecture, during the Hexacon offensive security conference held in Paris. This new reward marks a substantial rise from previous maximum payouts of $200,000 in 2016 and $1 million in 2019. Apple's decision underscores the critical importance of identifying vulnerabilities within its tightly controlled mobile ecosystem. The company aims to prevent these discoveries from being exploited by malicious actors. In addition to the main reward, Apple has implemented a bonus structure within its bug bounty program. This includes extra rewards for exploits that can penetrate its enhanced Lockdown Mode, as well as those vulnerabilities found during the beta testing phase of Apple software. Collectively, this could bring the maximum potential payout for a significant exploit chain to an impressive $5 million. These changes will take effect next month. Krstić emphasized the motivation behind these high rewards, stating, "We want to ensure that researchers who possess the skills to tackle the toughest challenges, especially those resembling attacks seen with mercenary spyware, are significantly rewarded for their efforts." Currently, there are over 2.35 billion active Apple devices globally. Initially, the bug bounty program was invite-only, aimed at elite researchers. However, since opening to the public in 2020, Apple has distributed over $35 million to more than 800 security researchers. Although large payouts are infrequent, the company has issued several rewards of $500,000 in recent years.