A big overhaul on the bug bounty program has been announced by Apple, doubling the reward for exploit chains that can rival the sophisticated spyware-level attacks to $2 million. Bonuses are available with LockDown Mode bypasses as well as vulnerabilities that could be found in the software beta, with payouts to go beyond $5 million.
The $5 million bounty is the biggest payout unmatched by any other program. It focuses more on complete chains for exploits instead of separate vulnerabilities, simulating attacks in the real world where bugs chain together. One major change is the introduction of Target Flags. When a researcher exploits a vulnerability successfully, they can get a certain flag to show what level of access they got.
Apple itself will be verifying these flags, and exploiters can receive the bounty award after submitting it, soon after validation. Moreover, researchers won’t have to wait for bug fixes to get paid because a new payment cycle will be implemented.
