Apple has increased financial rewards for zero-click remote code execution vulnerabilities by twofold to $2 million as part of an updated bug bounty program, Security Affairs reports.
Multi-step exploit chains, including Lockdown Mode bypasses or vulnerabilities discovered in beta software, are also given larger rewards, with total payouts potentially exceeding $5 million. The expanded bounty program also covers additional attack types. Rewards now include up to $300,000 for one-click WebKit sandbox escapes and up to $1 million for wireless proximity exploits. Rewards focus on exploits affecting current devices and operating systems, such as the iPhone 17 with Memory Integrity Enforcement. Lower-impact reports remain eligible for $1,000 awards.
Apple also introduced Target Flags, enabling researchers to demonstrate exploitability for critical categories like RCE or TCC bypasses and receive faster verification and payouts.
"Until the updated awards are published online, we will evaluate all new reports against our previous framework as well as the new one, and we'll award the higher amount. And while were especially motivated to receive complex exploit chains and innovative research, we'll continue to review and reward all reports that significantly impact the security of our users, even if they're not covered by our published categories," Apple said in a report.
Multi-step exploit chains, including Lockdown Mode bypasses or vulnerabilities discovered in beta software, are also given larger rewards, with total payouts potentially exceeding $5 million. The expanded bounty program also covers additional attack types. Rewards now include up to $300,000 for one-click WebKit sandbox escapes and up to $1 million for wireless proximity exploits. Rewards focus on exploits affecting current devices and operating systems, such as the iPhone 17 with Memory Integrity Enforcement. Lower-impact reports remain eligible for $1,000 awards.
Apple also introduced Target Flags, enabling researchers to demonstrate exploitability for critical categories like RCE or TCC bypasses and receive faster verification and payouts.
"Until the updated awards are published online, we will evaluate all new reports against our previous framework as well as the new one, and we'll award the higher amount. And while were especially motivated to receive complex exploit chains and innovative research, we'll continue to review and reward all reports that significantly impact the security of our users, even if they're not covered by our published categories," Apple said in a report.



