Apple updated its security rewards and now offers up to $2,000,000 for zero-click remote code execution exploits. The company funds larger prizes for the most dangerous exploit classes. The move aims to steer top researchers toward responsible disclosure.
Bigger base payouts and stacked bonuses
Apple raised base payouts across several exploit types. It lists one-click RCEs and certain wireless proximity attacks at $1,000,000. Apple also increased rewards for iCloud compromise and privilege escalation chains. When researchers meet multiple criteria, Apple can stack bonuses. Those bonuses can push rewards past $5,000,000 for a single submission.
Why Apple targeted zero-click RCEs
Zero-click exploits let attackers run code without any user action. They can compromise devices silently. Because of that risk, Apple prioritized these flaws. The larger bounty creates stronger incentives to report rather than weaponize discoveries.
Additional defensive steps and support for at-risk users
Apple pairs the bounty increase with defensive programs. The company plans to donate secure devices to civil society groups at risk of advanced spyware. Apple also continues programs such as Lockdown Mode and memory integrity protections. These tools raise the work factor for attackers and limit stealthy exploitation.
Security Research Device access and timelines
Apple opened application windows for its Security Research Device program. The company invites vetted researchers to request special hardware to study complex bugs. Participants get controlled access to diagnostic features that aid in finding deep issues. Apple hopes this controlled access will uncover high-impact flaws sooner.
What the bug bounty means for defenders and researchers
Security teams should expect more coordinated disclosures from top researchers. Organizations that build defensive tooling can use coordinated reports to deploy patches faster. Researchers benefit from clearer payout rules and larger financial incentives. Those who once sold zero-click exploits on gray markets may now see reporting as more lucrative.
Conclusion
The Apple zero-click vulnerabilities bounty increase signals a serious shift. Apple now prizes exploit research at far higher levels. The combination of larger payouts, defensive programs, and research-device access should reduce the number of high-end exploits that remain undisclosed. For defenders, the change offers a better chance to patch severe risks before attackers weaponize them.
0 responses to “Apple zero-click vulnerabilities bounty now pays $2 million”