Apple is announcing a major expansion and redesign of its bug bounty program, doubling the maximum payout, adding new research categories, and introducing a more transparent reward structure.
Since the program began in 2020, Apple has awarded $35 million to 800 security researchers, with the company paying $500,000 for some reports submitted.
The highest reward has been doubled to $2 million for reporting vulnerabilities that could lead to zero-click (no user interaction) remote compromise, similar to mercenary spyware attacks. However, payouts through the bonus system can be up to $5 million.
“This is an unprecedented amount in the industry and the largest payout amount offered by any bounty program that we are aware of – and our bonus system, offering additional rewards for lockdown mode bypasses and vulnerabilities discovered in beta software, can more than double this bounty, bringing the maximum payout to over $5 million.” Apple said,
Other payments enhanced or introduced under the new program plan include:
- One-click (user interaction) remote attack – $1,000,000
- Wireless Proximity Attack – $1,000,000
- Mass unauthorized iCloud access – $1,000,000
- WebKit exploit chain leading to unsigned arbitrary code execution – $1,000,000
- Attack on locked device with physical access – $500,000
- App Sandbox Escape – $500,000
- One-Click WebKit Sandbox Escape – $300,000
- macOS Gatekeeper complete bypass without any user interaction – $100,000
- “Incentive award” of $1,000 for low-impact but legitimate reports.
Apple comments that it has never received any reports demonstrating complete Gatekeeper bypass with no user interaction or widespread unauthorized iCloud access, so both of these bugs are high challenge points for bounty hunters.
Additionally, Apple said it “has never seen a real-world zero-click attack executed entirely via wireless proximity,” referring to the $1M ‘Wireless Proximity’ prize, which was previously increased from $250,000.
The range is also being expanded, now including Apple-developed chips such as the C1 and C1X modems and the N1 wireless chip.
For 2026, Apple plans to distribute one thousand secure iPhone 17 devices to members of civil society organizations at high risk of being targeted by mercenary spyware.
The same devices will power Apple Security Research Tools Program Next year, for which security researchers can apply till October 31.
The tech giant hopes the increased rewards will have an additional impact on the development of sophisticated attack chains from spyware vendors, as researchers will have more incentive to find and report security issues.
To protect its users from sophisticated spyware attacks, Apple implemented advanced security measures in iOS such as lockdown mode and memory integrity enforcementWhich makes it more expensive to develop and execute covert spyware attacks.
attend Breach and Attack Simulation Summit and experience future of security verificationHear from top experts and see how AI-powered BAS Changing breach and attack simulations.
Don’t miss the event that will shape the future of your security strategy
