- Apple is now offering $2 million for clickless RCE flaws in its devices
- Zero-click attacks require no user interaction and are often used in cyber espionage
- Revamped bug bounty program includes new categories, bonuses and payouts of up to $5 million
If you want to win $2 million, all you need to do is discover a zero-click remote code execution (RCE) vulnerability in an Apple device.
Yes, it’s as difficult as it sounds, which is why Apple has doubled the bounty for no-click exploits, for which it previously offered up to $1 million in rewards.
Security researchers can also earn a million dollars by detecting one-click remote attacks, wireless proximity attacks, large unauthorized iCloud access breaches, and WebKit exploit chains leading to the execution of arbitrary unsigned code.
An “unprecedented” amount
The enhanced rewards are part of Apple’s new, completely revamped bug bounty program, with new categories, a new reward structure, and higher payouts.
Zero-click vulnerabilities are, as the name suggests, those that can be exploited without any clicks from the victim. Usually, running malware on a device requires at least one click from the victim, such as running a program or granting certain permissions.
No-click vulnerabilities are infinitely more dangerous, because they can be exploited even if the victim is both aware and security-aware, and does absolutely nothing to put themselves in danger.
An example of a zero-click attack would involve sending the victim a specially crafted MMS message that grants the attackers access even if the user does not read it. These vulnerabilities are rare and are typically exploited covertly by state-sponsored actors engaged in cyberespionage.
“This is an industry-leading amount and the largest payout offered by any bounty program we know of – and our bonus system, offering additional rewards for Lockdown bypasses and vulnerabilities discovered in beta software, can more than double this reward, with a maximum payout exceeding $5 million,” Apple said.
Significant money can also be made by discovering attacks on locked devices with physical access, application sandbox escape flaws, one-click WebKit sandbox escape flaws, and complete Gatekeeper bypasses – without user interaction.
Via BeepComputer
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
