Apple has announced a sweeping update to its Security Bounty program, doubling its maximum payout to an industry-record $2 million, with potential bonuses pushing total rewards beyond $5 million.
The overhaul, set to take effect in November 2025, introduces expanded vulnerability categories, new objective validation tools, and higher incentives targeting the most sophisticated attack techniques.
The updated program is designed to better match the complexity and cost of exploit chains seen in the wild, particularly those linked to mercenary spyware vendors and state-level adversaries. Since its launch in 2020, Apple’s Security Bounty has paid over $35 million to more than 800 researchers, with multiple individual payouts reaching $500,000. However, the company acknowledges that its evolving security architecture has raised the bar for successful exploitation, prompting the need for higher rewards to maintain researcher engagement.
Apple’s Security Bounty targets vulnerabilities across all its platforms, including iOS, macOS, watchOS, tvOS, iPadOS, and the newer visionOS, spanning both software and hardware. The revamped reward structure specifically emphasizes complete exploit chains over isolated bugs and prioritizes practical, demonstrable impact over theoretical vulnerabilities.
Among the highlights of the updated program:
- $2 million top reward for remote zero-click exploit chains, mirroring techniques used by advanced spyware operations.
- Up to $1 million for one-click WebKit sandbox escapes, wireless proximity exploits, and broad iCloud access, none of which have been successfully demonstrated to date.
- $100,000 reward for a full, no-interaction Gatekeeper bypass on macOS, marking the first time Apple has incentivized this particular attack path at such a scale.
Apple, headquartered in Cupertino, California, currently maintains one of the most robust consumer hardware ecosystems globally, with over 2.35 billion active devices. Its platforms, particularly iOS, are often the target of sophisticated spyware campaigns, such as those uncovered in the past involving NSO Group’s Pegasus. In response, Apple has deployed features like Lockdown Mode, Memory Integrity Enforcement, and enhanced WebKit isolation to strengthen device security.
These defenses have made exploit development increasingly difficult, especially for attackers seeking zero-click access or system-level code execution. According to Apple, all observed system-level iOS attacks in the wild now originate from mercenary spyware, typically involving complex exploit chains costing millions to develop.
To support researchers tackling this rising complexity, Apple is introducing Target Flags, a new system embedded in its operating systems that allows researchers to demonstrate successful exploitation with programmatically verifiable flags. Each flag represents a security milestone, such as arbitrary read/write or full code execution, and directly correlates to a specific bounty tier. Submissions using Target Flags are eligible for accelerated reward processing, receiving confirmation and payment upon validation, even before a public fix is released.
Another key update expands the Wireless Proximity category, which now includes attacks leveraging all radio interfaces across Apple’s latest chipsets, including the C1/C1X modems and N1 wireless chip. The bounty for these attacks has doubled to $1 million, despite no known real-world, zero-click proximity attacks to date.
To ensure inclusivity, Apple will also begin issuing $1,000 rewards for lower-impact or out-of-scope submissions, often contributed by new or first-time researchers, to encourage participation and maintain goodwill within the security community.
Leave a Reply