Article illustration 1

At the Hexacon security conference in Paris, Apple's security engineering chief Ivan Krstić unveiled a seismic shift in the company's vulnerability rewards program: Maximum payouts for critical exploit chains now reach $2 million—double the previous top reward. When combined with new bonuses for bypassing Lockdown Mode and discovering flaws during beta testing, researchers could earn up to $5 million for revealing the most dangerous vulnerabilities.

This strategic escalation targets the growing threat of mercenary spyware used against high-risk individuals like journalists and activists. "We want researchers who mirror these sophisticated attacks to get tremendous rewards," Krstić told WIRED, emphasizing Apple's commitment to drawing critical security research away from the gray market. Since opening its bounty program publicly in 2020, Apple has paid over $35 million to 800 researchers, with multiple $500,000 awards in recent years.

Beyond the Headline Figures

Apple's overhaul includes three key expansions:
- New vulnerability categories covering one-click WebKit browser exploits and wireless proximity attacks using any radio technology
- Lockdown Mode bonuses specifically incentivizing work against the security feature designed for high-risk targets
- "Target Flags" program adopting capture-the-flag concepts to help researchers rapidly validate exploit capabilities

The announcement coincides with Apple's rollout of Memory Integrity Enforcement in iPhone 17—a five-year engineering effort to neutralize the most exploited class of iOS vulnerabilities. To further protect vulnerable communities, Apple will donate 1,000 iPhone 17s to rights groups supporting potential spyware targets.

The Bigger Picture

Krstić acknowledged the apparent imbalance in protecting a tiny fraction of users: "There's incontrovertible evidence these technologies are constantly abused. We feel a moral obligation to defend those users." Yet this hyper-focused defense strategy creates cascading benefits—Memory Integrity Enforcement and Lockdown Mode improvements ultimately raise security baselines for all Apple users.

By placing unprecedented value on preemptive vulnerability discovery, Apple signals that the economic calculus of ethical hacking must evolve to match the rising stakes of state-sponsored surveillance. As exploit brokers offer million-dollar paydays, Apple's bounty program becomes both a technical safeguard and a statement about who controls critical security knowledge.