Apple bug bounty program expansion with doubled zero-click rewards
Security Tool/Service
Summary
Hide ▲
Show ▼
Apple’s bug bounty program has been expanded and redesigned, doubling rewards for zero-click remote compromise and adding new research categories that raise the payoff for high-end vulnerability reporting. The change matters because it increases incentives to find exploit chains across iPhone, WebKit, iCloud, and Gatekeeper. Apple also says the updated structure is more transparent and can push some rewards above $5 million with bonuses.
Related Happenings
Apple out-of-band iOS/iPadOS security updates (CVE-2026-28950)
Security Patch Release
First: 22.04.2026 23:58
Last: 22.04.2026 23:58
Sources 1
About this happening:
**Apple** released **out-of-band security updates** for **iPhone and iPad** on **April 22, 2026** to fix **CVE-2026-28950**. The patch addresses a **Notification Services** flaw t...
Apple out-of-band iOS/iPadOS security updates (CVE-2026-28950)
Security Patch ReleaseAbout this happening: **Apple** released **out-of-band security updates** for **iPhone and iPad** on **April 22, 2026** to fix **CVE-2026-28950**. The patch addresses a **Notification Services** flaw t...
Latest development: 23.04.2026 11:50
Apple issued **iOS 26.4.2**, **iPadOS 26.4.2**, **iOS 18.7.8**, and **iPadOS 18.7.8** on **2026-04-23** to close **CVE-2026-28950**, which could preserve deleted-message notifications on affected devices.
Apple Notification Services notification retention flaw (CVE-2026-28950)
Vulnerability
First: 22.04.2026 23:58
Last: 22.04.2026 23:58
Sources 1
About this happening:
**Apple** released **out-of-band updates** for **iPhone and iPad** to fix **CVE-2026-28950**, a **Notification Services** flaw that could let deleted notifications remain stored o...
Apple Notification Services notification retention flaw (CVE-2026-28950)
VulnerabilityAbout this happening: **Apple** released **out-of-band updates** for **iPhone and iPad** to fix **CVE-2026-28950**, a **Notification Services** flaw that could let deleted notifications remain stored o...
Latest development: 23.04.2026 11:50
Apple released iOS 26.4.2, iPadOS 26.4.2, iOS 18.7.8, and iPadOS 18.7.8 to address CVE-2026-28950, a logging flaw that could retain notifications marked for deletion on the device. The update improves data redaction so inadvertently preserved notifications are removed, and reporting also links the flaw to recovered Signal chats in the Prairieland case involving law enforcement and the FBI.
Apple iOS 18.7.7 security update expansion for DarkSword
Security Patch Release
First: 02.04.2026 00:50
Last: 02.04.2026 00:50
Sources 1
About this happening:
Apple expanded **iOS 18.7.7** availability to more older **iPhones and iPads** on **April 1, 2026**, letting devices that stay on **iOS 18** receive protections against the **acti...
Apple iOS 18.7.7 security update expansion for DarkSword
Security Patch ReleaseAbout this happening: Apple expanded **iOS 18.7.7** availability to more older **iPhones and iPads** on **April 1, 2026**, letting devices that stay on **iOS 18** receive protections against the **acti...
Operation Triangulation updated iPhone espionage campaign
Campaign
First: 26.03.2026 15:10
Last: 26.03.2026 15:10
Sources 1
About this happening:
The **Operation Triangulation** espionage lineage has resurfaced through **Coruna**, extending **zero-click iPhone** targeting to newer **A17** and **M3** devices and **iOS 17.2**...
Operation Triangulation updated iPhone espionage campaign
CampaignAbout this happening: The **Operation Triangulation** espionage lineage has resurfaced through **Coruna**, extending **zero-click iPhone** targeting to newer **A17** and **M3** devices and **iOS 17.2**...
Coruna iOS exploit analysis ties updated Triangulation kernel exploit lineage
Technical Analysis
First: 26.03.2026 15:10
Last: 26.03.2026 15:10
Sources 1
About this happening:
**Coruna** has been linked to an **updated** exploit lineage from **Operation Triangulation**, showing that a long-running iPhone attack framework continues to evolve and can stil...
Coruna iOS exploit analysis ties updated Triangulation kernel exploit lineage
Technical AnalysisAbout this happening: **Coruna** has been linked to an **updated** exploit lineage from **Operation Triangulation**, showing that a long-running iPhone attack framework continues to evolve and can stil...
Timeline
-
10.10.2025 19:50 3 articles · 7mo ago
Apple expands bug bounty payouts and categories
Initial DisclosureApple announced a major expansion and redesign of its bug bounty program, raising the top reward to $2 million for zero-click remote compromise reports and allowing bonus payouts above $5 million. The updated structure adds or raises rewards for one-click remote attacks, wireless proximity attacks, broad unauthorized iCloud access, WebKit exploit chains, locked-device access, app sandbox escapes, one-click WebKit sandbox escapes, and a macOS Gatekeeper complete bypass, while also expanding wireless proximity coverage to Apple-developed C1 and C1X modems and the N1 wireless chip. Apple also said it will distribute 1,000 secured iPhone 17 devices to civil society organizations in 2026 and that researchers can apply for the Security Research Device Program by October 31.
Show sources
- Apple now offers $2 million for zero-click RCE vulnerabilities — www.bleepingcomputer.com — 10.10.2025 19:50
- Apple now offers $2 million for zero-click RCE vulnerabilities — www.bleepingcomputer.com — 10.10.2025 19:50
- Apple Bug Bounty Payouts Can Now Top $5m — www.infosecurity-magazine.com — 13.10.2025 12:30