Apple Will Make You A Multi-Millionaire If You Find Just One Of These Security Flaws
Listen here, Mac. If you want to be wealthy, you can work hard, grind your whole life, and make wise investments that you hope will pay off in time for retirement, or get lucky and pick a set of winning lottery numbers. Barring those avenues, legal options that won't land you in prison start to dwindle, though there is another avenue to raking in millions of dollars. Uncover an Apple security flaw and take advantage of the company's vastly upgraded bug bounty payouts.
The top base payout just doubled overnight to $2 million, and can scale to over $5 million with certain bonuses applied, meaning you could become a multi-millionaire by discovering just a single security flaw. That's quite a bit more than CloudRift.AI's $1,000 reward for sleuthing a reset bug related to GeForce RTX 5090 and RTX Pro 6000 graphics cards.
It has to be a doozy, though. Apple's biggest payout applies to zero-click chain flaws, which are remote attacks exploit software vulnerabilities without any user interaction, making them especially malicious and dangerous.
"This is an unprecedented amount in the industry and the largest payout offered by any bounty program we’re aware of—and our bonus system, providing additional rewards for Lockdown Mode bypasses and vulnerabilities discovered in beta software, can more than double this reward, with a maximum payout in excess of $5 million," Apple states.
Apple's biggest bug bounty award reflects just how rare and potentially dangerous those kinds of security flaws are on its ecosystem. According to Apple, the only system-level iOS attacks it's seen in the wild have come from "extremely sophisticated" mercenary spyware that typically cost millions of dollars to develop. These types of attacks are also usually focused on a small number of targeted victims.
"Enforcement make such attacks drastically more expensive and difficult to develop, we recognize that the most advanced adversaries will continue to evolve their techniques.
As a result, we’re adapting Apple Security Bounty to encourage highly advanced research on our most critical attack surfaces despite the increased difficulty, and to provide insights that support our mission to protect users of over 2.35 billion active Apple devices worldwide," Apple says.
The top payout is not the only type of security flaw that is getting a big increase. Apple doubled and even quadrupled payouts on these other types of attacks...
- One-click chain: Remote attack with one-click user-interaction: $1 million (up from $250,000)
- Wireless proximity attack: Attack requiring physical proximity to device: $1 million (up from $250,000)
- Physical device access: Attack requiring physical access to locked device: $500,000 (up from $250,000)
- App sandbox escape: Attack from app sandbox to SPTM bypass: $500,000 (up from $150,000)
Apple says it determined its retooled rewards structure based on demonstrated outcomes, no matter which route each one takes through the system. As a result, rewards for remote-entry vectors received major increases in payouts, while rewards for attack vectors now commonly observed in real-world attacks have gone down.
You can check out Apple's full announcement for a bunch more details, then go register for its security research device program to potentially rake in millions. Happy bug hunting!
