Apple Doubles Its Biggest Bug Bounty Reward To $2 Million

Apple is updating its Security Bounty program this November to offer some of the highest rewards in the industry. From a report: It has doubled its top award from $1 million to $2 million for the discovery of "exploit chains that can achieve similar goals as sophisticated mercenary spyware attacks" and which requires no user interaction. But the maximum possible payout can exceed $5 million dollars for the discovery of more critical vulnerabilities, such as bugs in beta software and Lockdown Mode bypasses. Lockdown Mode is an upgraded security architecture in the Safari browser.

In addition, the company is rewarding the discovery of exploit chains with one-click user interaction with up to $1 million instead of just $250,000. The reward for attacks requiring physical proximity to devices can now also go up to $1 million, up from $250,000, while the maximum reward for attacks requiring physical access to locked devices has been doubled to $500,000. Finally, researchers "who demonstrate chaining WebContent code execution with a sandbox escape can receive up to $300,000."

Marketing music video?

[fahrbot-bot]

Apple Doubles Its Biggest Bug Bounty Reward To $2 Million

Sir Mix-A-Lot: "I like Big Bugs and I cannot lie ..." :-)

because money talks

[v1]

Hackers have long sine moved on from doing it for the glory, challenge, and fame, to doing it for the money.

It's good to see they're fighting fire with fire. If you can get a payout for being evil and breaking the law (and risking your freedom) or get an at least somewhat similar payout for helping secure things, it makes the white hat look a lot more attractive, if you're already considering the black hat.

Re:

[registrations_suck]

Anything worth doing is worth doing for money.

Re:

[fahrbot-bot]

Anything worth doing is worth doing for money.

Which now includes being President of the U.S. ... /s (sigh)

Re:

[registrations_suck]

For that salary and benefits? You bet your ass it is.

Re:

[v1]

"If you're good at something, never do it for free!"

Re:

[Seven Spirals]

Shit $2M is a pittance for the kind of vulnerability they are looking for. If you find a remote root bug in Secure Shell, sell it to the government or the mob, but do it carefully as they might murder you for it. I'd start the bidding on something like that at $50M. That's just to start the auction, though. I'd expect it to be worth around $200M - $1B.

hmm

[drinkypoo]

"exploit chains that can achieve similar goals as sophisticated mercenary spyware attacks"

I hear someone who has control of Apple's software has attacked users in a way that prevents them from running the software if their choice.

How much?

[registrations_suck]

How much do I get if I report that the Mail app is doing something weird that makes me have to force quit it to fix it until it happens again?

Exploit chain?

[fph il quozientatore]

What is the idea behind giving a reward for an "exploit chain"? This seems counterproductive: if I find a significant exploit that doesn't pwn a Mac computer entirely, I am not incentivized to report it immediately, but rather to wait until I find another one to chain it with and win the jackpot.

Dang!

[Daina.0]

All the bugs I've been able to find and report to Apple have been stupid UI bugs that freeze your app or make your screens look invisible. I guess those are not important.

Re:

[JackAxe]

I found that I can bring my Mac Mini m4 to a complete crawl, where it takes over a minute to recover, just buy moving the Color Picker around when customizing the Desktop Background Color. I also managed to break my iPad's UI with in the first 30 minutes of use, where it go stuck on a blank screen, and this occurred after just swiping around exploring its UI functionality.