Apple announced Friday in a blog post that it is raising rewards for several types of security flaws, including zero-click vulnerabilities and attacks that work near an iOS or macOS device.
This move aims to get researchers testing Apple’s newest security protections. The iPhone 17, which launched recently, uses new security improvements that harden phone memory against common software flaws.
This system is Memory Integrity Enforcement. Apple engineers built it into the device chips to assign a “secret tag” to memory slices for specific programs. If an attacker tries to run a script targeting that memory, the iPhone first checks for the correct tag. The program will crash instead of opening without the right tag.
Apple has introduced other protections recently, like Lockdown Mode, which gives high-value targets extra security.
Zoom In: What the Bugs Pay
Apple is boosting the maximum payouts for these security flaw categories:
- Zero-click flaws that give an attacker device access with no user interaction: up to $2 million (double the old maximum).
- One-click flaw discoveries: up to $1 million.
- Proximity vulnerabilities that let attackers access a device when near it: up to $1 million (four times the old reward).
- Physical access flaws that let attackers access a locked device: up to $500,000 (double the old payment).
- App sandbox escapes that let adversaries break out of an app’s security container and take control of the phone’s memory: up to $500,000 (a sharp jump from the old $150,000 max).
Apple offers bonuses for findings that bypass Lockdown Mode and macOS Gatekeeper, which protects Macs from malware. Rewards are available for findings in beta software, too.
The Big Picture: Competing for Talent
Apple’s higher payouts help the tech giant compete against spyware vendors and the governments they work for. These groups pay large sums for details about such flaws. Governments increasingly use spyware to snoop on politicians, journalists, activists, and other high-profile figures.
A note on execution: Finding flaws requires highly sophisticated hacking expertise. Some researchers have criticized Apple for slow bug fixes and not always paying what hackers expect. Apple said Friday it is introducing a new tool, “target flags,” for reports. This tool automates the verification process and will speed up payouts.
What’s next: Apple plans to donate 1,000 free iPhone 17 devices to civil society organizations that protect journalists, activists, and dissidents most at risk from spyware.
