Apple doubles highest bug bounty reward to $2 million
Briefly

Apple doubles highest bug bounty reward to $2 million
"The highest reward increases to $2 million for vulnerabilities that can lead to a so-called zero-click remote compromise, which requires no user action. According to Apple, this is the industry's highest reward. Through a bonus system, for example, for bypassing Lockdown Mode or discovering vulnerabilities in beta software, the total reward can even exceed $5 million. With the new setup, Apple aims to encourage advanced research into attack techniques similar to those used by commercial spyware."
"Apple has announced an update to its Apple Security Bounty program. The company is doubling the maximum reward to $2 million, expanding the number of research categories, and introducing a new system that allows researchers to have their vulnerabilities verified and paid out more quickly. Since the program's launch in 2020, Apple has paid out more than $35 million to over 800 security researchers."
"One of the most notable new features is the introduction of Target Flags. These are built-in markers in Apple's operating systems that allow researchers to objectively demonstrate that their exploit actually works, for example, for code execution or sandbox escape. Once Apple has validated a Target Flag, the reward is awarded immediately, even before a security update is available. According to Apple, this should make the assessment process more transparent and faster, and strengthen trust with the research community."
Apple is updating its Security Bounty program by doubling the maximum reward, expanding research categories, and accelerating verification and payouts. The top bounty rises to $2 million for zero-click remote compromises; bonuses (for bypassing Lockdown Mode or finding beta vulnerabilities) can push totals beyond $5 million. Wireless proximity and one-click attacks can earn up to $1 million. Locked-device attacks and app sandbox escapes qualify for up to $500,000, and a complete macOS Gatekeeper bypass without interaction earns $100,000. Smaller valid reports receive a $1,000 incentive. Target Flags let researchers prove exploits objectively and trigger immediate payouts upon validation. The new structure begins November 2025 and Apple will publish full categories and guidelines then.
#apple-security-bounty #zero-click-exploits #target-flags #vulnerability-rewards
Read at Techzine Global
Unable to calculate read time
[
|
]