Apple has revamped its Security Bounty program, doubling its top reward to $2M for zero-click RCE exploits.
Introduction
Apple has expanded its bug bounty program, doubling its top reward to $2 million for certain critical exploits. Zero-click remote code execution (RCE) vulnerabilities—flaws needing no user action—now qualify for the highest bounty, reflecting how dangerous these bugs can be. Since 2020, Apple has paid $35 million to over 800 researchers. The revamped rewards and bonuses encourage researchers to find serious vulnerabilities.
Expanded Rewards and Categories
- $2M Top Prize for zero-click RCE exploit chains.
- $1M Awards for other severe exploits: one-click remote attacks, wireless-proximity attacks, broad iCloud access, and WebKit exploit chains.
- Higher payouts for locked-device exploits and sandbox escapes (up to $500K), plus $1,000 “encouragement” prizes for valid low-impact reports. These updates make Apple’s bounty one of the most generous in the industry.
Fighting Real-World Threats
The focus on zero-click flaws is driven by real attacks. NSO Group’s Pegasus spyware exploited a zero-click iMessage vulnerability in 2021 to infect iPhones. Apple hopes these high rewards will encourage researchers to catch these stealthy bugs first.
