Skip to main contentSkip to navigationSkip to navigation
apple logo
Apple’s ‘bug bounty’ programme was previously open only to certain researchers. Photograph: Josh Edelson/AFP/Getty Images
Apple’s ‘bug bounty’ programme was previously open only to certain researchers. Photograph: Josh Edelson/AFP/Getty Images

'Bug bounty': Apple to pay hackers more than $1m to find security flaws

This article is more than 4 years old

Expanded program, announced at Black Hat conference, comes as governments and tech firms compete for information

Apple will pay ethical hackers more than $1m if they responsibly disclose dangerous security vulnerabilities to the firm, the company announced at the Black Hat security conference in Las Vegas.

The new “bug bounty”, up from a previous maximum of $200,000, could even out-bid what a security researcher could earn if they decided to skip disclosure altogether and sell the bug to a nation state or an “offensive security company”, according to data shared by Maor Shwartz, a vulnerability broker at the same conference.

Apple’s new bug bounty programme is a marked step up from a previous offering, which was limited to a select pool of pre-approved researchers. The company has also extended it to reward hackers finding vulnerabilities in watchOS and tvOS, as well as iOS and macOS.

The amount that researchers will receive depends on the severity of the bug they find. Earning $1m, for example, requires finding a weakness in iOS that can hack the kernel, the most secure layer of the operating system, without a single click from the user. There’s a potential bonus of another 50% if the bug is found in pre-release software, Apple said, potentially taking the earnings up to $1.5m for a single bug.

That matches what researchers could expect to earn if they went down the “grey hat” route and sold their finding to governments or contractors who intended to use it to hack state enemies, rather than fix it, according to Shwartz.

The “high-end market” for those sorts of buyers includes the same “zero-click RCEs” – remote command execution – for which Apple is offering its highest payout. It also includes any vulnerability in the encryption used by messaging services, including WhatsApp and iMessage, that could be used to intercept messages in transit and silently decrypt them.

Competition between governments and tech companies for knowledge of security vulnerabilities is more open than it has ever been. On the corporate side, the rise of bug bounties has ensured that responsibly disclosing weaknesses isn’t just something companies like Apple, Google and Microsoft expect hackers to do out of the goodness of their hearts, but can actually help those who find them pay the bills.

On the government side, however, companies such as Zerodium pioneered the practice of explicitly advertising that they would buy security vulnerabilities, with the intent of passing them on to government clients who use them as part of their espionage operations. In January, Zerodium raised its maximum payout to $2m, the company announced, for any vulnerability that can remotely “jailbreak” an iOS device, enabling unauthorised software installations, without requiring user integration.

Apple is fighting back, however, issuing select security researchers pre-jailbroken iOS devices in an effort to help responsible researchers find bugs before their less ethical colleagues, according to a Forbes report from earlier this month.

More on this story

More on this story

  • Today in Focus
    How an infamous ransomware gang found itself hacked

  • Huge cybersecurity leak lifts lid on world of China’s hackers for hire

  • ‘Elevated’ risk of hackers targeting UK drinking water, says credit agency

  • British teenager behind GTA 6 hack receives indefinite hospital order

  • Film to tell story of Scottish hacker Gary McKinnon’s fight against US extradition

  • Scottish MP Stewart McDonald fears emails hacked by Russia-linked group

  • Royal Mail ransomware attackers threaten to publish stolen data

  • Ministers creating ‘wild west’ conditions with use of personal phones

  • ‘Robust protocols’ in place, says Gove amid reports of Liz Truss phone hack

  • Mobiles are inherently insecure, which might be a surprise to British politicians

Most viewed

Most viewed