Apple expands bug bounty programme, gives up to 2 million dollars

Hackers and security experts who find loopholes in Apple's operating systems can expect significantly higher payouts in the future as part of the company's bug bounty program. The iPhone manufacturer wants to make itself more attractive to the security community—and probably also prevent bugs that can be exploited for attacks from ending up in problematic channels (e.g., with criminals or the secret services of regimes).

35 million US dollars paid out

Apple also announced that it had made over 35 million US dollars in payments since 2020—to a total of 800 security researchers. “Several” people would have received 500,000 dollars each. “We are grateful to everyone who shares their research findings and works closely with us to protect our users,” the company said. In the past, however, there had already been criticism of the payout conditions and the speed of the bug bounty team at Apple. The company is apparently hoping to appease this criticism with the new measures.

Apple had previously paid out a maximum of 1 million dollars for a remote zero-click attack that required no user interaction and enabled the device to be taken over. The sum has now been increased to a maximum of 2 million. A so-called one-click chain, which requires one click from the user for a successful exploit, now pays up to 1 million instead of just 250,000 dollars. Attacks via the air interface (attacker must be in the vicinity) are also quadrupled to 1 million. Successful attacks on the physical device (in a locked state) are doubled from 250,000 to 500,000 dollars. An app sandbox escape (up to the SPTM bypass) brings 500,000 instead of 150,000 dollars.

Changes to the categories

In addition to the payments listed above, bonuses are also possible that increase the total amount to up to 5 million dollars. The examples mentioned all relate to complete exploit chains. Individual bugs also provide less money; Apple should provide more details on this in the future; the website still contains the old information. There are also new bug categories that the company is adding to the bug bounty program. In addition, WebContent Code Executions with Sandbox Escape (up to 300,000 dollars), which becomes one million if unsigned code is executed. Finally, the “WIreless Proximity” area will be expanded to include current Apple chips such as C1, C1X and N1. To make it easier for security researchers to understand what is being paid and when, Apple is introducing so-called target flags. These are integrated into the operating system and allow Apple to determine more quickly how far an attacker has come. This should also make it easier to roll out a fix – and increase the understanding of a problem before it is developed. Target flags are implemented in all Apple operating systems from iOS to visionOS. However, not all bug bounty categories are currently covered, but Apple intends to expand them.

Apple also announced that bugs that are not covered by the bug bounty programme but require a fix will be rewarded with a payment of 1000 dollars in addition to a CVE entry and credits. These are supposed to be “low impact” bugs that have no direct impact on user security. Finally, Apple is launching a new round of its Security Research Device Programme. The SRDP now also includes the new iPhone 17, which Apple has equipped with hardware memory protection. The devices are rooted and allow various forms of attack that are otherwise not possible – and provide a deeper understanding due to their openness. The current application round runs until 31 October.

Empfohlener redaktioneller Inhalt

Mit Ihrer Zustimmung wird hier ein externer Preisvergleich (heise Preisvergleich) geladen.

Preisvergleiche immer laden Preisvergleich jetzt laden

Ich bin damit einverstanden, dass mir externe Inhalte angezeigt werden. Damit können personenbezogene Daten an Drittplattformen (heise Preisvergleich) übermittelt werden. Mehr dazu in unserer Datenschutzerklärung.

(bsc)