Apple is significantly enhancing its Security Bounty program this November, offering some of the highest payouts in the industry to incentivize advanced cybersecurity research. The company has doubled its top reward from $1 million to $2 million for researchers who uncover exploit chains capable of achieving the same outcomes as sophisticated mercenary spyware attacks, particularly those that require no user interaction.
In exceptional cases, Apple says total payouts could exceed $5 million, especially for discoveries involving critical vulnerabilities such as:
- Bugs in beta software
- Bypasses of Lockdown Mode, Apple’s hardened security architecture designed to protect high-risk users from targeted attacks
Apple is also increasing rewards across several other categories:
- One-click exploit chains (requiring minimal user interaction) now qualify for up to $1 million, up from $250,000
- Attacks requiring physical proximity to a device can earn up to $1 million, also up from $250,000
- Attacks requiring physical access to locked devices now carry a maximum reward of $500,000, doubled from $250,000
- WebContent code execution combined with sandbox escape can earn researchers up to $300,000
These increases reflect Apple’s recognition of the growing complexity and sophistication of modern cyber threats, particularly those targeting its most secure environments.
Since launching and expanding the program, Apple has awarded over $35 million to more than 800 security researchers, according to Ivan Krstić, Apple’s VP of Security Engineering and Architecture. While multi-million-dollar payouts are rare, Apple has confirmed issuing multiple $500,000 rewards for high-impact discoveries.
The company emphasized that the only system-level iOS attacks observed in the wild have originated from mercenary spyware, typically deployed by state actors to target specific individuals. Apple’s recent security enhancements, including Lockdown Mode and Memory Integrity Enforcement, aim to make such attacks significantly harder to execute.
Apple hopes that the updated bounty structure will encourage deeper research into its most critical attack surfaces, even as the difficulty of discovering such vulnerabilities increases. The company stated that these changes are part of its broader commitment to proactive security, transparency, and collaboration with the global research community.
