Apple doubles its biggest bug bounty reward to $2 million

Apple has announced an update to its Security Bounty program, doubling its top award from $1 million to $2 million for the discovery of "exploit chains that can achieve similar goals as sophisticated mercenary spyware attacks" with no user interaction. The maximum possible payout can exceed $5 million for the discovery of more critical vulnerabilities, such as bugs in beta software and Lockdown Mode bypasses. The company has also increased rewards for other types of vulnerabilities, including one-click user interaction exploit chains (up to $1 million), attacks requiring physical proximity to devices (up to $1 million), and attacks requiring physical access to locked devices (up to $500,000). Researchers who demonstrate chaining WebContent code execution with a sandbox escape can receive up to $300,000. Apple has awarded over $35 million to more than 800 security researchers since introducing and expanding the program. The company believes its new security features, such as Lockdown Mode and Memory Integrity Enforcement, can make mercenary attacks more difficult, but it hopes the increased bounty payouts will encourage advanced research on its critical attack surfaces.