Apple on Friday announced significant updates to its bug bounty program and the company is now offering up to $2 million for complex exploit chains.
Since the launch of its public bug bounty program in 2020, Apple has awarded a total of more than $35 million to over 800 security researchers. Multiple hackers earned $500,000 for their work, Apple said.
The tech giant recently unveiled Memory Integrity Enforcement (MIE), an always-on memory-safety protection for iPhones designed to combat sophisticated attacks such as the ones conducted by mercenary spyware vendors.
Apple believes these spyware attacks are the only ones that actually pose a significant threat to its customers and the company now wants to boost the security of its products even further against sophisticated attacks.
It’s doing this by harnessing offensive security talent from outside the company, specifically by significantly increasing bug bounties for vulnerabilities such as the ones that would be leveraged in the exploit chains of mercenary spyware attacks.
Specifically, the top reward for a zero-click exploit chain that achieves remote device compromise, has been increased from $1 million to $2 million. Apple pointed out that this is the base pay and researchers can in theory get as much as $5 million if they earn bonuses for Lockdown Mode bypasses and vulnerabilities discovered in beta software.
Apple noted in a call with reporters on Thursday that for someone to earn a $5 million reward is not easy or likely, but it is theoretically possible.
Apple is also significantly increasing bug bounty payouts for an application sandbox escape (from $150k to $500k), attacks requiring physical access to a locked device (from $250k to $500k), wireless attacks requiring physical proximity (from $250k to $1M), and remote hacking that requires one-click user interaction (from $250k to $1M).
The company has also announced that one-click attacks through the web browser, which have to bypass its WebKit protections, will be rewarded with up to $300,000 if they can achieve code execution with a sandbox escape. The reward can increase up to $1 million if the exploit chain is taken even further to achieve unsigned code execution with arbitrary entitlements.
The tech giant is also boosting rewards for categories where no exploit has been demonstrated to date, such as a Gatekeeper bypass on macOS ($100,000) and unauthorized iCloud access ($1 million).
The new payouts will go into effect in November 2025.
Apple on Friday also introduced a concept that involves flags, similar to capture-the-flag (CTF) competitions. These so-called ‘Target Flags’ are meant to make it easier for researchers to objectively demonstrate their findings and to know what reward they should expect for their report.
“When researchers demonstrate security issues using Target Flags, the specific flag that’s captured objectively demonstrates a given level of capability — for example, register control, arbitrary read/write, or code execution — and directly correlates to the reward amount, making the award determination more transparent than ever,” Apple explained.
“Because Target Flags can be programmatically verified by Apple as part of submitted findings, researchers who submit eligible reports with Target Flags will receive notification of their bounty award immediately upon our validation of the captured flag,” it added.
Target Flags are supported on iOS, iPadOS, macOS, visionOS, watchOS, and tvOS.
Apple also announced that exceptional research will continue to receive bonuses, and it has decided that even low-impact vulnerabilities may be rewarded with $1,000 to encourage researchers to continue reporting their findings.
Related: Apple Seeks Researchers for 2026 iPhone Security Program
Related: Apple Updates iOS and macOS to Prevent Malicious Font Attacks
Related: Apple Sends Fresh Wave of Spyware Notifications to French Users
