Apple has announced a sweeping expansion of its Security Bounty program, calling it the “next major chapter” in its effort to strengthen user privacy and platform security. The company has already paid over $35 million to 800 researchers and is now doubling its top payout to an industry-leading $2 million, with rewards in some categories exceeding $5 million.
Record-breaking payouts for top exploits
Apple’s revamped program will offer $2 million for exploit chains capable of achieving “mercenary spyware-level” attacks — the highest confirmed payout in the cybersecurity industry. The company says its bonus system can more than double this figure, taking total rewards beyond $5 million for those who identify vulnerabilities that bypass Lockdown Mode or are found in beta software.
In addition, Apple is significantly raising rewards in other high-priority areas: a complete Gatekeeper bypass now carries a $100,000 bounty, while broad unauthorised access to iCloud could earn up to $1 million — though Apple notes no successful exploit has been demonstrated so far in either category.
Expanding to new attack surfaces
The expanded program will now cover a wider range of threats. Apple is adding new categories such as one-click WebKit sandbox escapes, which can earn up to $300,000, and wireless proximity exploits that target any radio interface, with rewards of up to $1 million. These updates reflect Apple’s focus on strengthening defences against advanced remote and zero-click attacks.
Faster, more transparent rewards
A major new addition is Target Flags, a system that allows researchers to objectively prove the exploitability of vulnerabilities, including remote code execution and Transparency, Consent, and Control (TCC) bypasses. Reports submitted with Target Flags will qualify for accelerated awards — meaning verified findings can be paid out even before Apple releases a patch.
Security for at-risk users
Beyond financial incentives, Apple is launching a new initiative to support civil society groups and individuals vulnerable to spyware. The company will provide 1,000 iPhone 17 devices — featuring Memory Integrity Enforcement, its strongest memory safety protection yet — to organisations helping at-risk users.
Launch timeline
The updated Apple Security Bounty program takes effect in November 2025, when Apple will publish a complete list of new reward tiers, expanded categories, and bonus structures on its Security Research website.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
Find the best of Al News in one place, specially curated for you every weekend.
Stay on top of the latest tech trends and biggest startup news.
