- Apple now offering $2 million for clickless RCE failures on its devices
- Clickless attacks require no user interaction and are often used in cyber espionage.
- The revamped bug bounty program includes new categories, bonuses, and payouts of up to $5 million.
If you want to win $2 million, all you need to do is discover a zero-click remote code execution (RCE) vulnerability on an Apple device.
Yes, it’s as hard as it sounds, which is why Apple doubled the reward for zero-click failures, for which it previously offered up to $1 million in rewards.
Security researchers can also earn a million dollars for finding one-click remote attacks, wireless proximity attacks, widespread unauthorized iCloud access flaws, and WebKit exploit chains that lead to arbitrary unsigned code execution.
“Unprecedented” amount
The improved rewards are part of Apple’s completely revamped new bug bounty program, with new categories, new reward structure, and higher payouts.
Zero-click vulnerabilities are, as the name suggests, those that can be exploited without any clicks from the victim. Running malware on a device typically requires at least one click from the victim, such as running a program or granting certain permissions.
Zero-click flaws are infinitely more dangerous, as they can be abused even if the victim is security-aware and knowledgeable, and does absolutely nothing to put themselves in danger.
An example of a no-click attack would be sending a specially crafted MMS message to the victim that grants the attackers access even if the user does not read it. These vulnerabilities are few and far between and are typically exploited secretly by state-sponsored actors engaged in cyberespionage.
“This is an industry-record amount and the largest payout offered by any bounty program we know of, and our bonus system, which provides additional rewards for bypassing lock mode and vulnerabilities discovered in beta software, can more than double this reward, with a maximum payout of more than $5 million,” Apple said.
There is also a lot of money to be made discovering attacks on locked devices with physical access, application sandbox escape flaws, one-click WebKit sandbox escape flaws, and complete Gatekeeper bypasses, without user interaction.
Through beepcomputer
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
