Apple has dramatically expanded its Security Bounty program, doubling the top reward to $2 million for zero-click remote code execution exploits – the kind typically used in sophisticated spyware attacks.
With new bonuses and faster validation mechanisms, total rewards can now exceed $5 million, making this one of the most lucrative vulnerability programs in the industry.
Apple’s Head of Security Engineering and Architecture, Ivan Krstić, made the announcement during the Hexacon security conference, where he described the upgrade as a response to “the evolving landscape of highly targeted cyberattacks.”
The revamp broadens Apple’s reward structure for several vulnerability categories:
· Zero-click exploit chains affecting core system functions: up to $2 million.
· Wireless or proximity-based attacks (e.g., Bluetooth, NFC, or Ultra Wideband): up to $1 million.
· One-click exploits via Safari or WebKit: up to $300,000.
· macOS Gatekeeper bypasses: up to $100,000.
· Physical device attacks enabling unauthorized data access: up to $500,000.
For low-impact issues outside the Apple Security Bounty categories, in addition to the customary CVE assignment and researcher credit, Apple will now also reward such reports with $1,000.
Apple also raised payouts for bugs in less-explored areas, such as iCloud data leaks or device management bypasses, where real-world exploits have yet to surface.
To encourage proactive discovery, Apple introduced a bonus system that increases payouts for vulnerabilities found in Lockdown Mode, the iPhone’s advanced protection setting for high-risk users. The same bonus system applies to beta versions of Apple software, rewarding researchers who report issues before public release.
When combined, these bonuses can push total compensation above $5 million for qualifying discoveries, Apple said.
The company also unveiled a “Target Flags” mechanism – a structured, gamified validation process similar to cybersecurity “capture the flag” events. Researchers can submit proof of exploit capabilities and receive partial payments as Apple confirms each milestone, even before the vulnerability is fully patched.
Since launching its public bounty program in 2020, Apple says it has awarded over $35 million to more than 800 researchers worldwide. The new framework also aims to accelerate reward timelines – a frequent complaint among bug hunters – and to make the process more transparent clearer documentation and automated tracking.
Apple’s decision to boost rewards follows growing pressure from the security community and a surge in mercenary spyware activity, such as NSO Group’s Pegasus attacks, which exploited zero-click vulnerabilities to compromise iPhones of journalists and activists.
By offering up to $2 million – and potentially much more – Apple now rivals or surpasses the top payouts from Google, Microsoft, and Meta. The move also signals Apple’s strategic effort to channel elite cybersecurity talent toward responsible disclosure rather than underground exploit markets.
“High-end exploits shouldn’t be the domain of private spyware vendors,” Krstić said. “We want those skills focused on strengthening user security.”
To reinforce that mission, Apple pledged to donate 1,000 iPhone 17 devices with enhanced threat protections to civil society groups defending at-risk individuals, such as journalists and human rights advocates.
Security researchers have largely welcomed the overhaul, noting that higher rewards better reflect the difficulty of modern exploit development. However, some say Apple must ensure faster communication and dispute resolution – areas where the program has faced criticism in the past.
The expanded bounty structure officially takes effect next month, with detailed rules and categories to be published on Apple’s Security Bounty website.
As Apple tightens its defenses, the message to hackers is clear: the most profit to be made from breaking into an iPhone is to tell Apple how you did it.
You may also want to read:
What is Lockdown Mode on iPhone and Mac? How Apple’s Spyware Shield Works – and When to Use It
Five Ways Your iPhone Can Be Hacked – And How to Prevent It
How Spyware Infects Smartphones and How to Defend Against It
Apple Issues Emergency Updates to Combat ‘Triangulation’ Spyware
tags
Filip has 15 years of experience in technology journalism. In recent years, he has turned his focus to cybersecurity in his role as Information Security Analyst at Bitdefender.
View all postsOctober 13, 2025
October 10, 2025
October 10, 2025