Technology

Bug hunters can now earn over $5M with Apple bonuses

By /
Illustration of a glowing Apple logo at the center of a digital treasure map with cybersecurity icons and a golden $5,000,000 marker, symbolizing Apple’s expanded bug bounty program.

Apple just raised the stakes for security researchers in a big way, doubling its top bug bounty from $1 million to $2 million. For the most dangerous exploit chains, bonuses can push the total above $5 million.

Background

Apple launched its public Security Bounty in 2020 and says it has paid more than $35 million to over 800 researchers so far. The program has focused more on complete exploit chains because real attacks often string multiple bugs together.

Because mercenary spyware continues to focus on high‑value people, vendors are locking down their platforms and raising incentives for complex bug reports. Apple highlighted Lockdown Mode and other measures, while admitting the threat keeps evolving.

How it works

The new top award of $2 million targets exploit chains that achieve goals similar to sophisticated mercenary spyware attacks, particularly zero‑click compromises that require no user interaction. Bonus payouts apply for Lockdown Mode bypasses and bugs found in beta software, allowing totals to exceed $5 million.

Apple is also introducing Target Flags, a system for researchers to objectively prove exploitability for categories like remote code execution or TCC bypasses, enabling accelerated awards even before a fix ships.

Key points

  • Top award doubled to $2 million for spyware‑class exploit chains.
  • Bonuses can push some payouts above $5 million.
  • New Target Flags can speed up verification and payment.
  • Expanded categories: up to $300,000 for one‑click WebKit sandbox escapes and up to $1 million for wireless proximity exploits.
  • Other notable caps: $1 million for broad unauthorized iCloud access and $100,000 for a complete Gatekeeper bypass on macOS.

Why it matters

This is one of the highest public bug bounty caps in the industry, signaling Apple’s push to attract top‑tier research away from private markets. Faster, clearer payouts may also address past complaints about slow or uneven rewards.

Impact / Expert View

Coverage from major outlets underscores that Apple’s new ceiling and bonuses could shift incentives for offensive research, especially around zero‑click chains. The company frames this as a direct response to spyware threats and a way to improve relationships with researchers through accelerated awards.

Conclusion

Apple’s bug bounty just got a major upgrade, with up to $2 million for top exploits and even higher totals with bonuses—big money for stopping big threats. Would this make researchers pick disclosure over private buyers?

— (Sources: Apple Security Research, Engadget, MacRumors, WIRED)

Last Updated on October 18, 2025 by Lucy

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top