Compared to most companies, Apple has traditionally been somewhat stingy when it comes to rewarding individuals who unearth iPhone exploits. More recently, though, Apple has come to the realization that if it wants to discover and patch serious iPhone exploits before they get taken advantage of by malicious actors, it has to increase the rewards available to security researchers.
In light of the above, Apple recently made significant changes to its bug bounty program. On October 10, Apple announced that the top award for an iPhone exploit is now $2 million, compared to $1 million previously. Naturally, to get the $2 million, users will have to discover an exploit that “can achieve similar goals as sophisticated mercenary spyware attacks.” Apple boasts that the $2 million figure is the largest amount offered by any bug bounty program currently in existence. Apple adds that the $2 million payout can jump to $5 million if accompanied by other exploits like bypassing Lockdown Mode.
Additionally, Apple says that it’s boosting the payouts for other exploits. For example, a method to bypass Gatekeeper is now worth $100,000, while an exploit capable of unauthorized iCloud access now yields $1 million. On top of it all, Apple is expanding the scope of its bug bounty program to include more categories, including WebKit hacks and wireless proximity exploits.
Apple’s bug bounty program has come a long way
Over the past five years, Apple notes that its bug bounty program has yielded more than $35 million in awards to over 800 hackers and researchers. Underscoring Apple’s commitment to make its bug bounty especially appealing is that it is now offering an avenue for researchers to receive awards on an accelerated track.
“We’re introducing Target Flags, a new way for researchers to objectively demonstrate exploitability for some of our top bounty categories, including remote code execution and Transparency, Consent, and Control (TCC) bypasses,” Apple writes. “Researchers who submit reports with Target Flags will qualify for accelerated awards, which are processed immediately after the research is received and verified, even before a fix becomes available.”
All of the above is great, and highlights that Apple’s view of bug bounty programs has come a long way. Note that Apple didn’t implement its bug bounty program until 2020, many years after bug bounty programs were established at companies like Google. Before Apple’s bug bounty program began, Apple’s relationship with security researchers was far from ideal. At the time, it wasn’t uncommon to hear security researchers complain that efforts to relay discovered exploits to Apple were often unsuccessful.
All of that to say this: Apple’s bug bounty program has gone from nonexistent to arguably one of the more comprehensive and lucrative programs in the tech sphere. Apple says its new bug bounty program is set to go live next month.
Apple’s battle with sophisticated spyware
One phrase that caught my eye in Apple’s announcement was that its $2 million prize is reserved for exploits similar to “sophisticated mercenary spyware attacks.” This focus highlights Apple’s ongoing efforts to bolster the iPhone against extremely sophisticated spyware campaigns.
In recent years, spyware has become incredibly advanced, so much so that it can sometimes infect an iPhone with no user interaction whatsoever. Recall that the NSO Group, for example, has regularly released spyware capable of leveraging zero-day exploits to attack the iPhone. The NSO Group’s Pegasus software is capable of monitoring all aspects of a target’s device, including text messages, emails, photos, and more. The first incarnation of Pegasus was particularly sophisticated because it was able to install itself if a user simply clicked on a link in an SMS message. More recent NSO Group software is capable of infecting a device without any user interaction at all, which is to say a user doesn’t need to click a link or open a file to become vulnerable.
For years, Apple would routinely patch security vulnerabilities exploited by the NSO Group, only to see the firm release new software capable of skirting around its security barriers. Apple eventually grew so frustrated with the game of cat-and-mouse that it sued the company in 2021 for its “surveillance and targeting of Apple users.”
“State-sponsored actors like the NSO Group spend millions of dollars on sophisticated surveillance technologies without effective accountability,” Apple’s Craig Federighi said at the time. “Apple devices are the most secure consumer hardware on the market — but private companies developing state-sponsored spyware have become even more dangerous.” Apple ultimately dropped the suit in 2024, noting that the discovery process would reveal sensitive security information.
iPhone 17’s new tool against powerful spyware
While we’re on the topic of device security and spyware, it’s worth mentioning that Apple’s iPhone 17 lineup boasts a new security feature designed to better combat spyware. Apple calls the feature Memory Integrity Enforcement (MIE) and claims that it’s the “most significant upgrade to memory safety in the history of consumer operating systems.”
Put simply, the feature prevents malicious code injection because only trusted code can run in protected memory. Apple writes that most spyware functions by exploiting “memory safety vulnerabilities” and that MIE is specifically designed to prevent that particular attack vector. Apple has been working on MIE since 2020, and it’s currently included in every iPhone 17 model along with the iPhone Air.
In an Apple research report on MIE, the company said its new security feature is so robust that it may make developing attack vectors against the iPhone 17 prohibitively expensive. Apple specifically boasts that MIE will “disrupt many of the most effective exploitation techniques from the last 25 years, and completely redefine the landscape of memory safety for Apple products.” Together with Apple’s more expansive bug bounty program, it’s clear that Apple is taking concrete steps to ensure that the iPhone remains less susceptible to malware than any other smartphone on the market.