massively multiplied the number it’s offering hackers for finding vulnerabilities in iPhones and Macs, up to $1 million.
It’s by far the highest bug bounty on offer from any major tech company.
That’s up from $200,000, and in the fall the program will be open to all researchers. Previously solely those on the company’s invite-only bug bounty program were eligible to receive rewards.
As Forbes reported on Monday, Apple is also launching a Mac bug bounty, which was confirmed Thursday, but it’s also extending it to watchOS and its Apple TV operating system. The announcements came in Las Vegas at the Black Hat conference, where Apple’s head of security engineering Ivan Krstić gave a talk on iOS and macOS security.
Forbes also disclosed on Monday that Apple was to provide bug bounty participants “developer devices”—iPhones that allow hackers to dive further into iOS. They can, for instance, pause the processor to look at what’s happening with data in memory.
Krstić confirmed the iOS Security research Device program would be by application solely. It will arrive next year. The full $1 million can head to researchers who will find a hack of the kernel—the core of iOS—with zero clicks needed by the iPhone owner.
Another $500,000 will be given to people who will find a “network attack requiring no user interaction.” There’s also a 50% bonus for hackers who can find weaknesses in software before it’s released.
Apple is increasing those rewards in the face of an increasingly profitable private market where hackers sell identical data to governments for immense sums.
As Maor Shwartz told Forbes, the price of a single exploit (a program that uses vulnerabilities generally to take control of a computer or phone) will fetch as much as $1.5 million.
An exploit targeting WhatsApp where no clicks are needed from the user, for instance, can be sold to a government agency for that much, though such tools are rare.
Only one or two a year will be sold, from a pool of around 400 researchers who focus on such high-end hacking.
“It’s very hard to research them and manufacture a working exploit,” he said.