Roughly three years ago, Apple began paying security researchers for discoveries of unknown vulnerabilities in iOS, and today, it’s responding to long-standing requests by adding macOS, watchOS, and tvOS devices to the list.
Additionally, the company is now offering a maximum reward of $1 million for the most serious security issues, providing researchers with even more incentive to report rather than horde their findings.
The news went public today at the annual Black Hat security conference in Las Vegas (via TechCrunch), where lead Apple security developer Ivan Krstić disclosed key updates to the bug bounty program.
Apple will now pay $1 million for a deadly serious exploit — a zero-click attack that enables complete, persistent control of an iPhone’s kernel with nothing more than knowledge of the device’s phone number — up from a peak of $200,000 before.
Less serious exploits will qualify for smaller amounts.
For the company, the risk of low payments has been that security researchers will instead hand their findings off to private organizations, such as Grayshift and Cellebrite, that will subsequently exploit Apple’s devices for profit.