{"id":49604,"date":"2025-10-10T16:52:35","date_gmt":"2025-10-10T20:52:35","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=49604"},"modified":"2025-12-02T16:26:48","modified_gmt":"2025-12-02T21:26:48","slug":"evolution-of-apple-security-bounty-program","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2025\/10\/10\/evolution-of-apple-security-bounty-program\/","title":{"rendered":"Evolution of Apple Security Bounty Program"},"content":{"rendered":"

Apple<\/a> (Wired<\/a>, MacRumors<\/a>):<\/p>\n

\n

We’re doubling our top award to $2 million for exploit chains that can achieve similar goals as sophisticated mercenary spyware attacks. This is an unprecedented amount in the industry and the largest payout offered by any bounty program we’re aware of — and our bonus system, providing additional rewards for Lockdown Mode bypasses and vulnerabilities discovered in beta software, can more than double this reward, with a maximum payout in excess of $5 million. We’re also doubling or significantly increasing rewards in many other categories to encourage more intensive research. This includes $100,000 for a complete Gatekeeper bypass, and $1 million for broad unauthorized iCloud access, as no successful exploit has been demonstrated to date in either category.<\/p>\n<\/blockquote>\n

They’re referring to a Gatekeeper bypass “with no user interaction,” but I don’t really understand what that would mean. Doesn’t Gatekeeper only come into play when there is<\/em> user interaction? If there’s no user interaction, that seems like it would be a zero-click exploit, which should be worth way more than $100K.<\/p>\n

In addition to increasing reward amounts and expanding bounty categories, we’re making it easier for researchers to objectively demonstrate their findings — and to determine the expected reward for their specific research report. Target Flags, inspired by capture-the-flag competitions, are built into our operating systems and allow us to rapidly review the issue and process a resulting reward, even before we release a fix.<\/p>

When researchers demonstrate security issues using Target Flags, the specific flag that’s captured objectively demonstrates a given level of capability — for example, register control, arbitrary read\/write, or code execution — and directly correlates to the reward amount, making the award determination more transparent than ever. Because Target Flags can be programmatically verified by Apple as part of submitted findings, researchers who submit eligible reports with Target Flags will receive notification of their bounty award immediately upon our validation of the captured flag. Confirmed rewards will be issued in an upcoming payment cycle rather than when a fix becomes available, underscoring the trust we’ve built with our core researcher community.<\/p><\/blockquote>\n\n

Jeff Johnson<\/a>:<\/p>\n

A major evolution would be if Apple actually paid people who submitted bugs instead of arbitrarily deciding “nope”<\/p><\/blockquote>\n\n

The changes sound good, but this was my first thought, too. I think the problem with the bounty program wasn’t that it didn’t claim<\/em> to pay enough or in enough categories. It was that Apple has a history of not counting exploits that seem like they should count, downgrading them to lower categories, delaying fixes and thus payments, and withholding payments until after being called out in the press. If you discover an exploit, it should be a no-brainer to write it up and submit it through the proper channels because you trust that Apple will take it seriously and that you’ll get paid. But that’s not the case from what I’ve seen.<\/p>\n\n

Previously:<\/p>\n