Redazione RHC : 11 October 2025 18:40
Apple has significantly expanded its bounty program for security vulnerabilities in the iOS ecosystem. At the Hexacon offensive security conference in Paris, Ivan Krstic, the company’s vice president of security architecture and engineering, announced a maximum reward of $2 million for the discovery of a chain of vulnerabilities that could be exploited for espionage purposes.
If such a combination allows the system to bypass the additional “Lockdown Mode” security feature or is discovered in a beta version of the system , the total reward could reach $5 million. The new rules will go into effect next month.
The decision reflects the company’s concern about the growing commercial spyware market and its desire to prevent its exploitation during the discovery phase of critical vulnerabilities. Apple emphasizes that it places particular importance on discoveries that replicate the logic of real-world attacks and is willing to pay significant sums for such investments of time and effort.
According to Krstic, the company has already awarded half a million dollars to individual discoveries, and since 2020 , when the program was opened to everyone, more than $35 million has been awarded to over 800 researchers.
In addition to increasing the rewards, the company has expanded the list of vulnerability types eligible for the program. It now includes one-click attacks using the WebKit browser infrastructure and methods using radio channels near the device.
A new category, Target Flags, has also been added, essentially integrating elements of CTF competitions into real-world testing of Apple products. This allows for quick and clear demonstration of exploit effectiveness, increasing the transparency of the process.
In addition to creating incentives for vulnerability hunters, Apple is investing in the long-term security of its products at the architectural level. In September, the company introduced Memory Integrity Enforcement, a feature built into the iPhone 17 series. It is designed to block the most frequently exploited category of iOS bugs and is primarily aimed at protecting vulnerable groups , including political activists, journalists, and human rights defenders.
Apple emphasizes that while most users never encounter spyware threats, protecting the most vulnerable groups strengthens the security of the entire ecosystem. The company explains this as a moral imperative, especially given the persistent abuse of such technologies, regularly reported by both IT companies and human rights organizations .
Redazione