Apple has announced a major redesign of its Apple Security Bounty program, which will see higher rewards, new research categories, and a smoother process for verifying vulnerability reports and processing awards.
Since launching the program in 2020, Apple has awarded over $35 million in bug bounties to over 800 security researchers, with multiple individual reports earning $500k.
The updated program, which will go live from November 2025, will see the top reward double to $2 million for reporting “zero-click” exploit chains that can lead to remote compromise. These attacks are similar to mercenary spyware attacks—a highly targeted and sophisticated form of cyberattack usually directed towards journalists, politicians, and activists, that has historically been associated with nation state actors.
However, researchers can more than double that reward to receive a maximum payout in excess of $5 million through the company’s bonus system, which provides additional compensation for the discovery of advanced threats such as vulnerabilities within beta software and Lockdown Mode bypasses.
“This is an unprecedented amount in the industry and the largest payout offered by any bounty program we’re aware of,” Apple says.
The company has also significantly increased their reward payouts across other research areas that involve remote entry, including:
“Our updated program offers outsize rewards for findings that help us stay ahead of real-world threats, significantly prioritizing verifiable exploits over theoretical vulnerabilities, and partial and complete exploit chains over individual exploits,” the company says.
“Top rewards are for exploits that are similar to the most sophisticated, real-world threats, that work on our latest hardware and software, and that use our new Target Flags.”
The bug bounty update comes shortly after the launch of Apple’s Memory Integrity Enforcement feature, which protects iPhone 17 and Air users against mercenary spyware by preventing memory corruption exploits.
Both announcements can be seen as a response to a global increase in commercial spyware activity, which drove 28 states and numerous international organizations—including Apple—to sign a joint agreement last year to tackle the proliferation of cyber intrusion capabilities, including spyware.
“While Lockdown Mode and Memory Integrity Enforcement make [mercenary spyware] attacks drastically more expensive and difficult to develop, we recognize that the most advanced adversaries will continue to evolve their techniques,” Apple says.
The Bigger Picture
The Apple Security Bounty redesign is the latest in a series of updates to bug bounty programs globally. Last week, Google launched a new AI-focused vulnerability reward program promising rewards of up to $30k, and Wiz unveiled a new cloud- and AI-focused hacking event that will award a total of $4.5m in bounties at Black Hat Europe this December.
Historically, there has been dissatisfaction in the bug hunting and ethical hacking communities about the level of compensation awarded to researchers for their efforts—particularly when it comes to high-severity vulnerabilities. This has led to discourse online about whether researchers should disclose vulnerabilities or sell them.
Bug bounty programs were introduced as a means to encourage security researchers to find vulnerabilities and disclose them to the relevant vendor in exchange for fair compensation.
The recent increases in reward payouts could be a sign that the industry is taking more seriously the efforts of bug hunters and recognizing the value of vulnerability disclosure in the fight against cybercrime.
Read More
