Apple has unveiled what it calls a “major evolution” of its Apple Security Bounty program, significantly expanding rewards and introducing new initiatives to strengthen digital protection. The company revealed it has already distributed over $35 million to more than 800 security researchers through the program.
The most notable change involves doubling the maximum bounty to $2 million for researchers who uncover exploit chains achieving objectives similar to sophisticated mercenary spyware attacks. Apple describes this as “an unprecedented amount in the industry and the largest payout offered by any bounty program we’re aware of.”
Additional bonus systems could potentially more than double this reward, with maximum payouts exceeding $5 million for Lockdown Mode bypasses and vulnerabilities discovered in beta software.
Expanded Reward Categories
Apple is substantially increasing rewards across multiple categories to encourage deeper security research. The company will now offer:
- $100,000 for complete Gatekeeper bypass
- $1 million for broad unauthorized iCloud access
- Up to $300,000 for one-click WebKit sandbox escapes
- Up to $1 million for wireless proximity exploits over any radio
New Target Flags System
The tech giant is introducing Target Flags, described as “a new way for researchers to objectively demonstrate exploitability for some of our top bounty categories.” This includes remote code execution and Transparency, Consent, and Control (TCC) bypasses. Researchers submitting reports with Target Flags will qualify for accelerated awards processed immediately after verification, even before fixes become available.
Civil Society Initiative
In a parallel security effort, Apple announced it will provide a thousand iPhone 17 devices with Memory Integrity Enforcement to civil society organizations. These devices will be distributed to at-risk users who may be targeted by mercenary spyware, reflecting Apple’s commitment to “make our most advanced security protections reach those who need them most.”
The updated bounty program changes will take effect in November 2025, when Apple will publish complete details of new and expanded categories, rewards, and bonuses on the Apple Security Research site. For additional technical analysis of these security enhancements, security professionals can review comprehensive coverage of the announcement.