Apple (Wired, MacRumors):
We’re doubling our top award to $2 million for exploit chains that can achieve similar goals as sophisticated mercenary spyware attacks. This is an unprecedented amount in the industry and the largest payout offered by any bounty program we’re aware of — and our bonus system, providing additional rewards for Lockdown Mode bypasses and vulnerabilities discovered in beta software, can more than double this reward, with a maximum payout in excess of $5 million. We’re also doubling or significantly increasing rewards in many other categories to encourage more intensive research. This includes $100,000 for a complete Gatekeeper bypass, and $1 million for broad unauthorized iCloud access, as no successful exploit has been demonstrated to date in either category.
They’re referring to a Gatekeeper bypass “with no user interaction,” but I don’t really understand what that would mean. Doesn’t Gatekeeper only come into play when there is user interaction? If there’s no user interaction, that seems like it would be a zero-click exploit, which should be worth way more than $100K.
In addition to increasing reward amounts and expanding bounty categories, we’re making it easier for researchers to objectively demonstrate their findings — and to determine the expected reward for their specific research report. Target Flags, inspired by capture-the-flag competitions, are built into our operating systems and allow us to rapidly review the issue and process a resulting reward, even before we release a fix.
When researchers demonstrate security issues using Target Flags, the specific flag that’s captured objectively demonstrates a given level of capability — for example, register control, arbitrary read/write, or code execution — and directly correlates to the reward amount, making the award determination more transparent than ever. Because Target Flags can be programmatically verified by Apple as part of submitted findings, researchers who submit eligible reports with Target Flags will receive notification of their bounty award immediately upon our validation of the captured flag. Confirmed rewards will be issued in an upcoming payment cycle rather than when a fix becomes available, underscoring the trust we’ve built with our core researcher community.
Jeff Johnson:
A major evolution would be if Apple actually paid people who submitted bugs instead of arbitrarily deciding “nope”
The changes sound good, but this was my first thought, too. I think the problem with the bounty program wasn’t that it didn’t claim to pay enough or in enough categories. It was that Apple has a history of not counting exploits that seem like they should count, downgrading them to lower categories, delaying fixes and thus payments, and withholding payments until after being called out in the press. If you discover an exploit, it should be a no-brainer to write it up and submit it through the proper channels because you trust that Apple will take it seriously and that you’ll get paid. But that’s not the case from what I’ve seen.
Previously:
Update (2025-10-15): See also: Bruce Schneier.
Update (2025-10-20): Rosyna Keller:
I’m going to write a blog post about a privacy leak Apple fixed reluctantly, didn’t get a CVE, and then Apple decided wasn’t worth a bug bounty despite the very important information it leaked.
It’s gotta be responsible to disclose it by now. But it was damn hard to find a phone that’ll run iOS 18.7, because Apple decided not to fix it there.
Update (2025-12-02): Malcolm Owen:
In October, Apple said that the payouts in its Security Bounty program will increase considerably in November. While the bounties for some high-profile exploit chains have grown to as high as $2 million, complaints are being raised about other awards for some macOS categories.
In a post to LinkedIn, IRU macOS security researcher Csaba Fitzl claims that the Apple Security Bounty “devalued” macOS. The devaluing is apparently demonstrated by the lowering of awards for disclosing some specific bypasses.
“Full TCC (privacy) bypasses are down from $30.5k to $5k,” Fitzl writes, while other individual TCC categories are reduced from payouts between $5,000 and $10,000 to just $1,000.
Ben Lovejoy:
Fitzl notes that not many security researchers focus on the Mac platform, and with even smaller awards on offer that number is likely to further diminish. It also increases the risk that anyone discovering an exploit will decide to sell it on the black market rather than report it to Apple.
It seems inexplicable that the company would make these changes at a time when there is more Mac malware than ever before.
Previously:
Apple Security Bounty Exploit Gatekeeper iOS iOS 26 Mac macOS Tahoe 26 Privacy Security Transparency Consent and Control (TCC)
Pablo Manríquez:
Apple has quietly removed DeICER, a civic-reporting app used to log immigration enforcement activity, from its App Store after a law enforcement complaint — invoking a rule normally reserved for protecting marginalized groups from hate speech.
[…]
Apple told developer Rafael Concepcion that the app violated Guideline 1.1.1, which prohibits “defamatory, discriminatory, or mean-spirited content” directed at “religion, race, sexual orientation, gender, national/ethnic origin, or other targeted groups.”
Some people are upset about this part because government officers aren’t normally considered a protected class. But that’s not the language the guideline uses. And I see no reason to allow this sort of content targeted at any group, be it teachers, Supreme Court justices, people who look a certain way or live in a certain state, whatever. Apple’s reasoning isn’t bogus because it’s protecting the wrong people; it’s bogus because that’s not what the app is doing.
But Apple’s justification went further. “Information provided to Apple by law enforcement shows that your app violates Guideline 1.1.1 because its purpose is to provide location information about law enforcement officers that can be used to harm such officers individually or as a group,” the company wrote in its removal notice.
Since that’s not the stated (or designed) purpose of the app, the “that” should have been a “which.” And then Apple’s justification doesn’t make any sense.
Concepcion’s appeal to Apple emphasized that DeICER was “a tool for education and lawful civic engagement, not the targeting or tracking of law enforcement.”
“Users cannot follow, locate, or monitor officers in real time,” he wrote in his memo to Apple’s App Review Board. “Any observation entered in the app represents a single moment in time, not a persistent or live tracking function.”
Via John Gruber (Mastodon):
There’s not one story about any of these apps being used to harm ICE agents. And even if such an attack happened, that wouldn’t imply it’s the purpose of these apps.
I haven’t seen such a story, either. The Dallas gunman is reported to have used the app, but he didn’t it need to find the agents, as the attack took place at their office.
Mike Masnick:
And, yes, I’ll be the first to tell you that content moderation at scale is impossible to do well, and that applies to app stores as well. But when you see a pattern this consistent—and this convenient for state power—pointing to scale problems feels inadequate. This looks less like algorithmic confusion and more like Apple systematically bending its policies to accommodate government preferences while trying to maintain plausible deniability.
This reasoning is deeply problematic on multiple levels. First, it treats documentation of public officials’ public actions as equivalent to hate speech against marginalized groups. Second, it accepts law enforcement’s own assessment of what constitutes “harm” to them without any independent review. Third, it creates a precedent where any app that allows citizens to track government activity could be banned as “discriminatory” against public officials.
Reece Rogers and Lily Hay Newman:
While gone from Apple’s App Store, DEICER is also still available via Google Play and a website.
Previously:
App Store App Store Rejection App Store Takedown DEICER iOS iOS 26 iOS App Law Enforcement
Qualcomm (Hacker News):
Qualcomm Technologies, Inc. today announced its agreement to acquire Arduino, a premier open-source hardware and software company. The transaction accelerates Qualcomm Technologies’ strategy to empower developers by facilitating access to its unmatched portfolio of edge technologies and products.
[…]
By combining Qualcomm Technologies’ leading‑edge processing, graphics, computer vision, and AI with Arduino’s simplicity, affordability, and community, the Company is poised to supercharge developer productivity across industries. Arduino will preserve its open approach and community spirit while unlocking a full‑stack platform for modern development—with Arduino UNO Q as the first step.
Andrew Cunningham:
Qualcomm didn’t disclose what it would pay to acquire Arduino. The acquisition also needs to be approved by regulators “and other customary closing conditions.”
The first fruit of this pending acquisition will be the Arduino Uno Q, a Qualcomm-based single-board computer with a Qualcomm Dragonwing QRB2210 processor installed. The QRB2210 includes a quad-core Arm Cortex-A53 CPU and a Qualcomm Adreno 702 GPU, plus Wi-Fi and Bluetooth connectivity, and combines that with a real-time microcontroller “to bridge high-performance computing with real-time control.”
David Groom:
During a press briefing last night, their commitment to remaining agnostic (i.e. not removing support for other silicon) was made clear, although my question of “for how long?” did not have a definitive answer. Optimistically, the new resources, access to other acquisitions like Edge Impulse, and ability to leverage Qualcomm’s own IP (the €44 retail price tag on the Q was another clue before the announcement that Qualcomm had a particular interest in this board!) may indicate an exciting new era for the now two-decade-old project.
Rui Carmo:
Lots of mixed feelings. Qualcomm has been promoting quite a few new development kits over the past year or so, and of course Arduino has tremendous mindshare, but that was built upon pretty agnostic and far-reaching microcontroller support, so it will be interesting to see how this evolves.
Hernando Barragán:
The history of Arduino has been told by many people, and no two stories match. I want to clarify some facts around the history of Arduino, with proper supported references and documents, to better communicate to people who are interested, about Arduino’s origin.
Acquisition Arduino Business Qualcomm
