Bug Bounties, Endpoint/Device Security, Threat Intelligence

Apple ups RCE flaw bug bounty to $2 million

(Adobe Stock)

Apple has increased financial rewards for zero-click remote code execution vulnerabilities by twofold to $2 million as part of an updated bug bounty program, Security Affairs reports.

Multi-step exploit chains, including Lockdown Mode bypasses or vulnerabilities discovered in beta software, are also given larger rewards, with total payouts potentially exceeding $5 million. The expanded bounty program also covers additional attack types. Rewards now include up to $300,000 for one-click WebKit sandbox escapes and up to $1 million for wireless proximity exploits. Rewards focus on exploits affecting current devices and operating systems, such as the iPhone 17 with Memory Integrity Enforcement. Lower-impact reports remain eligible for $1,000 awards.

Apple also introduced Target Flags, enabling researchers to demonstrate exploitability for critical categories like RCE or TCC bypasses and receive faster verification and payouts.

"Until the updated awards are published online, we will evaluate all new reports against our previous framework as well as the new one, and we'll award the higher amount. And while were especially motivated to receive complex exploit chains and innovative research, we'll continue to review and reward all reports that significantly impact the security of our users, even if they're not covered by our published categories," Apple said in a report.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds