Apple is offering a $2 million reward to anyone who can hack an iPhone.

Compared to many tech companies, Apple has traditionally been considered quite cautious when rewarding those who discover vulnerabilities on iPhones. However, the company has recently significantly adjusted its bug bounty program to proactively find and patch serious vulnerabilities before they are exploited.

On October 10th, Apple raised the maximum reward for a vulnerability on the iPhone to $2 million, double the previous $1 million; and this amount could increase to $5 million if the vulnerability includes additional elements, such as bypassing Lockdown Mode.

To receive the highest bounty, hackers or researchers must discover vulnerabilities that could potentially achieve the same goals as sophisticated spyware campaigns.

Besides the most expensive reward, Apple also increased rewards for many other categories, such as methods to bypass Gatekeeper, now valued at $100,000, while vulnerabilities allowing unauthorized access to iCloud can be paid up to $1 million.

The company also expanded the scope of the program, adding categories such as WebKit vulnerabilities and wireless connectivity-related vulnerabilities, demonstrating an effort to increase the level of protection for the Apple ecosystem.

Apple's bug hunting program is becoming increasingly sophisticated.

Over the past five years, Apple has spent more than $35 million in rewards to over 800 white-hat hackers and security researchers through its bug bounty program. The company says it is working to make the program more transparent, attractive, and effective, including shortening the time it takes to reward valid discoveries.

According to Apple, one of the notable improvements is the introduction of a new mechanism that allows researchers to objectively demonstrate vulnerability exploitation capabilities for high-reward categories such as remote code execution or bypassing the Transparency, Consent, and Control (TCC) mechanism. Reports with this mechanism will be processed and rewarded faster, even before the official patch is released.

This move represents a major shift in how Apple approaches the security community. Before 2020, when Apple's bug bounty program officially launched, the relationship between the company and researchers was quite strained, with many complaints about vulnerabilities going unanswered.

Apple has now transformed its bug hunting program from nothing into one of the most comprehensive and valuable systems in the tech industry. The company says an upgraded version of the program will officially launch next month, expanding to include more categories and providing better support for the global security community.

Apple's battle against sophisticated spyware.

In its latest announcement, Apple emphasized the phrase "sophisticated mercenary spyware attacks" when referring to the $2 million reward, the highest in its bug bounty program. This is not just an invitation to security experts, but also reflects Apple's ongoing efforts to strengthen the iPhone's defenses against increasingly dangerous cyber espionage campaigns.

In recent years, spyware tools like Pegasus from the Israeli technology company NSO Group have reached alarmingly sophisticated levels. They can infiltrate iPhones without any user interaction, exploiting zero-day vulnerabilities to monitor messages, emails, photos, and other sensitive data. The first version of Pegasus only required users to click on an SMS link, but later versions could even install themselves without interaction, rendering all traditional security measures ineffective.

For years, Apple has continuously patched vulnerabilities exploited by NSO Group, but this "cat and mouse" battle is far from over. In 2021, the company decided to sue NSO Group, accusing the company of "tracking and targeting Apple users" with commercial spyware.

At the time, Craig Federighi, Apple's senior vice president of software, asserted: "Apple devices are the most secure consumer hardware on the market, but state-sponsored spyware companies pose a serious threat to user privacy."

Although Apple withdrew the lawsuit in 2024 due to concerns about disclosing sensitive security information, the case still demonstrates the company's strong commitment to the fight against spyware and explains why Apple is willing to spend millions of dollars patching vulnerabilities that could threaten the safety of iPhone users worldwide.

The iPhone 17 is equipped with new security tools to combat spyware.

In addition to expanding its bug-hunting program, Apple is also strengthening the iPhone's defenses against increasingly sophisticated cyber threats. On the iPhone 17 series, the company introduced a new security feature called "Memory Integrity Protection Mechanism" (MIE) – described as "the biggest upgrade in memory security in the history of consumer operating systems."

According to Apple, MIE prevents malicious code from being injected into the system by only allowing trusted code to run in protected memory areas. Most current spyware exploits memory security vulnerabilities, and MIE is designed to patch this weakness at its root. The company states that the feature has been under development since 2020 and is now integrated by default across the entire iPhone 17 and iPhone Air lineup.

In the accompanying technical report, Apple asserted that MIE is powerful enough to make developing attack tools targeting the iPhone 17 extremely costly and complex. A company representative confidently stated that MIE will “break many of the most effective exploitation techniques in the past 25 years, completely redefining the concept of memory security on mobile devices.”

Combining new hardware security features with an expanded bug bounty program, Apple is demonstrating that it is steadily strengthening the iPhone's position as one of the safest mobile devices in the world.