Apple Introduces $2M Bug Bounty for Spyware-Level Exploits - MacRumorsOpen MenuShow RoundupsShow Forums menuVisit ForumsOpen Sidebar
Skip to Content

Apple Introduces $2M Bug Bounty for Spyware-Level Exploits

Apple has announced a major overhaul of its bug bounty program that doubles the top reward to $2 million for exploit chains that can match the sophistication of mercenary spyware attacks.

bug security vulnerability issue fix larry
With bonuses for Lockdown Mode bypasses and vulnerabilities found in beta software, Apple says its total payouts could exceed $5 million. The company claims this represents "the largest payout offered by any bounty program."

The program now places greater emphasis on complete exploit chains rather than individual vulnerabilities, reflecting the reality that real-world attacks typically chain multiple bugs together. The rewards for remote-entry vectors have also been substantially increased, although categories not commonly seen in actual attacks will receive lower payouts.

As part of the overhaul, Apple is introducing "Target Flags," which are inspired by capture-the-flag games. When a researcher successfully exploits a vulnerability, they can capture a specific flag that proves exactly what level of access they achieved, such as code execution or arbitrary read/write capabilities.

These flags can be verified by Apple, so researchers who submit reports using them can receive notification of their bounty award immediately after Apple validates the captured flag. The payment is also issued in an upcoming payment cycle, meaning researchers won't have have to wait until Apple releases a software fix, which can take months. Previously, researchers often had to wait for Apple to patch a vulnerability before receiving payment.

The updated program comes into effect from November 2025. Apple is also expanding categories to include one-click WebKit sandbox escapes worth up to $300,000 and wireless proximity exploits over any radio worth up to $1 million. A complete Gatekeeper bypass on macOS now earns $100,000.

More information on the changes can be found on Apple's Security Research website. Apple says it has paid out over $35 million to more than 800 researchers since launching the public program in 2020.

Popular Stories

iPhone 11 Pro Feature Green

Apple's A12 and A13 Chips Facing New Unpatchable Exploit

Thursday June 18, 2026 9:17 am PDT by
Security research firm Paradigm Shift today published details of a new BootROM vulnerability affecting Apple's A12 and A13 chips, along with a working proof-of-concept exploit named "usbliter8." The BootROM, or SecureROM, is the first code an iPhone runs when it powers on. Because it is baked directly into the chip at manufacture, any vulnerability found there cannot be fixed with a software ...
iCloud iPhone 17 Pro

iPhone Users Who Pay for iCloud Storage Get Two New Perks on iOS 27

Thursday July 2, 2026 6:10 am PDT by
If you pay for certain iCloud+ storage plans beyond the 5GB that Apple offers for free, you will receive two more perks on iOS 27 at no additional cost. A summary of the two new iCloud+ perks on iOS 27:Increased daily usage limits for some new Apple Intelligence features, including image generation in the revamped Image Playground app. HomeKit Secure Video cameras receive generated video...
American Express Gold Apple Pay Feature

American Express Announces New Apple Pay Feature

Tuesday June 30, 2026 10:27 am PDT by
American Express today announced that you can now redeem Membership Rewards points when checking out with Apple Pay on the web and in apps on the iPhone and iPad. When checking out with Apple Pay on iOS 18 or iPadOS 18 or later, tap on your eligible American Express card (Platinum, Gold, Green, and others) and select the Membership Rewards points option. You can use points to cover all or...

Top Rated Comments

10 months ago
This is a great program and these updates make it much more enticing to people to find exploits. It's good to see Apple's focus on improving security.
Score: 20 Votes (Like | Disagree)
10 months ago
iOS 26 is the biggest exploit. award me now.
Score: 19 Votes (Like | Disagree)
Macusercom Avatar
10 months ago
Great program, worst execution. There have been so many exploits that have been disclosed and those who find it do not get even remotely what Apple promises them. This is the reason many exploits remain hidden and get sold to higher bidders
Score: 16 Votes (Like | Disagree)
10 months ago
This is why I trust Apple with my personal data.
Score: 14 Votes (Like | Disagree)
Mac Fly (film) Avatar
10 months ago

This is why I trust Apple with my personal data.
CompanyProgram NameMax Reward (USD)Notes
AppleApple Security Bounty$2,000,000For zero-click spyware exploit chains (effective Nov 2025); previously $1M.
GoogleVulnerability Reward Program$1,500,000For full-chain zero-click RCE in Android; up to $3.1M for Chrome sandbox escapes.
MicrosoftMicrosoft Bounty Programs$250,000For critical RCE in Hyper-V or Azure; varies by product (e.g., $100K+ for Edge).
MetaMeta Bug Bounty$300,000For mobile RCE exploits; focuses on privacy/compromise in apps like Facebook/Instagram.
IntelIntel Bug Bounty$100,000For critical hardware RCE; lower for software-only issues.
Honestly I trust none of them. Fully, no way.
Score: 12 Votes (Like | Disagree)
WarmWinterHat Avatar
10 months ago

Can you give some examples of those?
https://9to5mac.com/2025/07/31/apple-security-bounties-pay-up-to-2m-but-it-only-paid-1k-for-a-critical-bug/
Score: 10 Votes (Like | Disagree)