Apple is increasing how much it pays to security researchers for the bugs they find in iPhones and Macs, with some payouts topping $2 million.
Why it matters: Apple is upping the ante to encourage security researchers to try to find bugs that spyware vendors and nation-state hackers could exploit.
Driving the news: Apple said in a blog post Friday that it's increasing the payouts for several categories of security vulnerabilities, including zero-click vulnerabilities and attacks that work when in close proximity to an iOS or MacOS device.
- The move is designed to encourage researchers to find bugs in some of Apple's newer security features.
Catch up quick: iPhone 17, which hit the market last month, includes new security improvements that harden the phones' memory against some of the most commonly targeted software vulnerabilities.
- Called Memory Integrity Enforcement, Apple security designers have built a new system into the device chips that assigns a "secret tag" to a chunk of memory tied to a specific program.
- If an adversary attempts to run a script targeting that slice of memory, the iPhone will first check if the program has the right tag. If it doesn't, the program will crash instead of opening.
Between the lines: In addition to Memory Integrity Enforcement, Apple has introduced Lockdown Mode, which provides high-value spyware targets with added security protections, and other improvements to securing device memory in recent years.
Zoom in: Apple is increasing the maximum payouts for the following categories of security flaws:
- Zero-click flaws that would give an attack access to a device without any user interaction could get a payout of as much as $2 million, double the previous maximum. One-click flaw discoveries can now get up to $1 million.
- Vulnerabilities that would give adversaries access to a device whenever it's in close proximity could get as much as $1 million, quadruple the previous amount of $250,000.
- Flaws that would let attackers access a locked device if they have physical access to a it can now garner a payout of as much as $500,000, double the previous max payment.
- Bugs that would let adversaries break out of an app sandbox and take control of the phone's memory can pay out as much as $500,000 — up from the previous $150,000 maximum.
The intrigue: Apple will also provide bonuses for findings that can bypass Lockdown Mode and MacOS Gatekeeper, which protects Macs from malware.
- Bonuses are also available for findings in beta software.
The big picture: Apple's decision to increase payouts could help the tech giant compete against spyware vendors and the foreign governments they work with who often will pay big bucks for details about such flaws.
- Increasingly, governments have turned to spyware to snoop on politicians, journalists, activists, dissidents and other high-profile figures.
Yes, but: Getting payouts and finding such flaws requires highly sophisticated hacking expertise — and some researchers have complained that Apple has been slow to fix reported bugs and doesn't always pay hackers what they think they're owed.
- Apple said Friday it's introducing a new tool that researchers can include in their reports, called "target flags," that will automate the verification process — and speed up payouts.
What to watch: Apple also said it plans to donate 1,000 free iPhone 17 devices to civil society organizations that protect journalists, activists and dissidents most at risk from spyware.
