In a significant escalation of its efforts to fortify device security, Apple announced on October 10, 2025, an expansion of its Security Bounty program, doubling the maximum reward to $2 million for researchers who uncover exploit chains mimicking sophisticated mercenary spyware attacks. This move, revealed through a blog post on the companys security research site, aims to incentivize ethical hackers to probe deeper into potential vulnerabilities in iOS, macOS, and other ecosystems, particularly those enabling zero-click remote code execution without user interaction. With bonuses for bypassing features like Lockdown Mode or discovering issues in beta software, total payouts could exceed $5 million, marking the industrys highest rewards for such findings and underscoring Apples commitment to staying ahead of threats from commercial spyware vendors like NSO Group.
The Apple Security Bounty program, publicly launched in 2020 after an initial invite-only phase in 2016, has already disbursed over $35 million to more than 800 researchers worldwide, with multiple reports earning $500,000 each. Initially offering up to $200,000 for critical bugs, the program expanded in 2019 to include a $1 million top prize for zero-day exploits allowing full device takeover. The latest evolution, effective November 2025, introduces higher tiers across categories, emphasizing verifiable exploits on the latest hardware and software, such as the iPhone 17 with Memory Integrity Enforcement. Apples VP of Security Engineering, Ivan Krstić, highlighted the programs role in countering real-world threats, noting that iOS attacks observed in the wild are predominantly from mercenary spyware, which costs millions to develop and targets select individuals.
Under the updated structure, rewards are categorized by attack vector and impact. For network attacks without user interaction, a zero-click chain leading to kernel code execution with persistence and kernel Pointer Authentication Code bypass can fetch up to $2 million, doubled from the previous $1 million cap. One-click chains, requiring minimal user engagement like clicking a link, now top out at $1 million, up from $250,000. Wireless proximity attacks, needing physical closeness via radios like Bluetooth, also reach $1 million, while physical device access exploits for user data extraction range from $5,000 to $500,000. New expansions include $1 million for broad unauthorized iCloud access or remote attacks on Private Cloud Compute request data, and $300,000 for one-click WebKit sandbox escapes. Additionally, app sandbox escapes to system platform trust module bypasses earn up to $500,000.
To streamline submissions, Apple introduced Target Flags—programmatic indicators that objectively demonstrate exploitability in high-value areas like remote code execution or Transparency, Consent, and Control bypasses. Reports with these flags receive accelerated processing and payments, even before fixes are deployed, encouraging complete exploit chains over isolated vulnerabilities. Bonuses add another layer: 50% extra for beta-exclusive issues, allowing pre-release fixes, and 100% for Lockdown Mode bypasses, potentially pushing the max beyond $5 million. A permanent $1,000 award for low-impact issues outside standard categories further broadens participation.
Eligibility requires researchers to submit detailed reports via Apples Product Security portal, including proof-of-concept code, with issues affecting the latest publicly available software and hardware. Payments are discretionary, based on severity, exploit quality, and user impact, with credit in security notes unless anonymity is requested. The program covers iOS, iPadOS, macOS, tvOS, watchOS, visionOS, and services like iCloud and Safari. However, it excludes web apps, third-party software, and certain enterprise features.
Success stories illustrate the programs effectiveness. In 2020, a team led by Sam Curry uncovered 55 vulnerabilities in Apples online services over three months, including critical issues like wormable XSS in iCloud Mail and command injection allowing arbitrary code execution. Apple fixed most within days and awarded $288,500 across 32 payments. Another notable case involved researcher Ryan Pickren, who in 2022 received a record $100,500 for a Mac webcam hack enabling unauthorized access via malicious websites. Pickren had previously earned bounties for similar camera vulnerabilities in iPhone and Mac. These examples highlight how the program attracts top talent, leading to rapid patches that enhance user privacy.
Criticisms persist, however. Some researchers report delays, ignored submissions, or silent patching without credit or payment. For instance, one blogger accused Apple of scamming them out of $50,000 by fixing a bug without acknowledgment. Others note the programs initial slowness compared to competitors like Googles, which has paid out over $50 million since 2010. Despite this, Apples focus on high-impact exploits has driven innovations like Lockdown Mode, introduced in 2022 to protect high-risk users from state-sponsored attacks.
Comparatively, Apples $2 million top bounty surpasses Googles $1.5 million for Android exploits and Microsofts $250,000 for Windows bugs, positioning it as a leader in rewarding advanced research. This strategy aligns with growing threats; reports indicate mercenary spyware like Pegasus has infected devices of journalists, activists, and politicians, prompting global scrutiny. By crowdsourcing defenses, Apple not only bolsters its 2.35 billion active devices but also contributes to broader cybersecurity norms.
Looking forward, the programs updates are expected to attract more sophisticated submissions, potentially uncovering flaws before adversaries exploit them. As cyber threats evolve with AI and quantum computing, initiatives like this foster collaboration between tech giants and the hacking community. For aspiring researchers, the bounty represents not just financial incentive but a chance to shape the future of digital security. Apples investment signals a proactive stance, ensuring iPhones remain the gold standard for consumer privacy amid an increasingly hostile digital landscape.
Ultimately, this bounty hunt transforms potential adversaries into allies, rewarding ingenuity that safeguards users worldwide. With the bar set at $2 million and beyond, Apples program exemplifies how financial incentives can drive ethical hacking toward collective defense, turning vulnerabilities into victories for security.
