Apple has announced a massive evolution of its Apple Security Bounty program, dramatically increasing rewards to attract the world’s most advanced security researchers.
The update, effective in November 2025, more than doubles the top payout, setting an unprecedented new industry standard for finding critical vulnerabilities in Apple’s platforms.
The move is a strategic response to the rising sophistication of real-world threats, particularly those posed by mercenary spyware. By offering the highest awards in the industry, Apple aims to prioritize the discovery of complex, chained exploits that bypass its most advanced security features like Lockdown Mode and Memory Integrity Enforcement.
Key Points & Highlights
For a quick summary of the program’s evolution, here are the essential takeaways:
- Maximum Payout: The top award is doubled to $2 million for zero-click exploit chains. With bonuses, the total maximum reward can now exceed $5 million—the highest offered by any bug bounty program globally.
- Accelerated Rewards: Introduction of Target Flags allows researchers to objectively demonstrate exploitability, qualifying them for accelerated awards that are processed immediately after verification, rather than waiting for a software fix.
- Focus on Exploit Chains: Rewards for complete, multi-stage exploit chains have seen the most significant increases, mirroring the structure of sophisticated real-world attacks.
- New Reward Tiers: Rewards for common attack vectors like one-click remote attacks and wireless proximity attacks have quadrupled.
Major Reward Increases for Critical Attack Vectors
The revised program structure prioritizes findings that expose the most critical attack surfaces and challenge the fundamental security architecture of Apple devices (iOS, macOS, watchOS, etc.).
| Attack Vector | Current Maximum | New Maximum | Increase |
| Zero-click chain (Remote, no user interaction) | $1,000,000 | $2,000,000 | Doubled |
| One-click chain (Remote, one-click user interaction) | $250,000 | $1,000,000 | 4x |
| Wireless proximity attack (Physical proximity required) | $250,000 | $1,000,000 | 4x |
| Physical device access (Access to locked device) | $250,000 | $500,000 | Doubled |
| App sandbox escape (Escape from app to SPTM bypass) | $150,000 | $500,000 | Over 3x |
Expanded Categories and Specific Targets
Beyond the core exploit chains, Apple has also introduced significant incentives for focused research in other critical areas:
- Gatekeeper Bypass: A new $100,000 award is offered for a complete Gatekeeper bypass on macOS that requires no user interaction.
- WebKit Sandbox Escapes: Researchers demonstrating the chaining of WebContent code execution with a sandbox escape can receive up to $300,000.
- Low-Impact Reports: To encourage new researchers, minor issues that are outside the formal bounty categories but still result in a software fix will now be rewarded with a $1,000 award, in addition to receiving credit (CVE assignment).
Introducing Target Flags for Rapid Payouts
One of the most innovative changes is the introduction of Target Flags, a system inspired by “capture-the-flag” competitions.
Target Flags are integrated into Apple’s operating systems (iOS, macOS, visionOS, etc.) and serve as an objective mechanism to demonstrate a security issue’s capability—such as register control or arbitrary code execution.
Why this matters: When a researcher successfully submits a report using a Target Flag, Apple can programmatically verify the finding. This allows for the immediate processing and issuance of the bounty award, dramatically shortening the wait time for researchers, which traditionally concluded only after a software fix was released.
Context: Battling Mercenary iOS attacks
Apple notes that the only system-level iOS attacks observed in the wild come from extremely sophisticated mercenary spyware, often associated with state actors. These exploits cost millions to develop and require chaining multiple vulnerabilities.
The significant increase in rewards directly correlates with the increased difficulty of exploiting Apple’s platforms due to recent defensive advancements. This bounty program evolution is designed to ensure that the security research community has the financial incentive to invest the necessary time and resources to stay ahead of the world’s most advanced adversaries.
