Apple has been considered a provider of secure systems for years, especially in the area of data protection. However, at a time when Mac malware is more prevalent than ever, the company is causing concern. Security rewards from Apple's bug bounty program have been significantly reduced, and this affects precisely the most critical macOS vulnerabilities. The decision raises questions and alters the dynamic between Apple and the security researchers who have previously made a significant contribution to the platform's stability.
Apple's cuts to security rewards affect an area crucial to macOS. The new amounts change the conditions for security researchers who have previously reported vulnerabilities and thus contributed to the platform's stability. At the same time, the number of attacks on the Mac is increasing.
Apple cuts security rewards despite growing threat
The new rewards Apple is offering for reporting vulnerabilities are significantly lower than before. The most striking reduction is for complete TCC bypasses. This type of vulnerability previously earned up to $30,500; now it's only $5,000 – a cut of more than 80 percent. Individual TCC categories are also affected, with rewards for those falling from $5,000 to $10,000 to just $1,000.
Even sandbox escapes, where an app can move outside its isolated environment, have dropped from $10,000 to $5,000. Csaba Fitzl, senior macOS security researcher at IRU, made these figures public and emphasized that this move sends a bad signal. It seems to many in the industry as if Apple is admitting that certain problems are difficult to solve, or as if the company is no longer willing to adequately compensate researchers for their work. This contradicts Apple's own statements, in which data privacy plays a central role.
Why TCC is so important
TCC stands for Transparency, Consent, and Control. It is a key security framework in macOS that ensures apps only gain access to sensitive data with explicit consent. This includes access to files and folders, content from Apple apps such as Contacts, Calendar, and Health, as well as the use of the microphone, webcam, and screen recording.
A complete TCC bypass allows an app to access private information without consent. Security researchers have discovered several serious vulnerabilities in this area in the past. One example involved manipulating the consent database, causing macOS to falsely assume that the user had consented to a request. Another example was a code injection attack where a malicious app could exploit permissions already granted by a trusted app.
Fitzl points out that only a small number of security researchers work regularly in the macOS field anyway. With the now-reduced bonuses, he expects this number to decrease even further.
Growing risks to Mac security
Apple's decision comes at a time when the number of Mac malware cases is steadily increasing. As threats grow, the incentives to report discovered vulnerabilities directly to Apple are decreasing. Lower rewards increase the risk that discovered security flaws could instead end up on the black market, where significantly higher sums are often paid for the same information.
It's difficult to understand why Apple is reducing the rewards right now. A functioning and attractive bug bounty program is one of the most important tools for keeping software secure. If researchers' motivation decreases, there's a risk that critical vulnerabilities will remain undiscovered for longer or won't be reported to Apple.
Impact of the cuts on Mac security
Apple's reduction in security rewards directly impacts the vulnerabilities that are most critical to macOS security. In a climate of rising malware threats, this decision seems illogical and is cause for concern. The reduced incentives could further decrease the number of macOS security researchers, increasing the risk that serious vulnerabilities will go undetected or be reported late. For a company that prides itself on its commitment to data privacy, this move carries significant weight. Apple's next response will be crucial in determining how the industry interprets this change of course. (Image: Shutterstock / Igor Kyrlytsya)
- Apple is reorganizing its AI while OpenAI responds with Code Red
- Apple rejects India's mandatory app and warns about data privacy concerns
- Apple Music Replay 2025 reveals the year's key trends
- Apple reorganizes AI: Change at the top after Siri flop
- Apple in India: Government forces state security app
- Google is partnering with AWS to create more robust cloud networks
- Studio Display: M5 iPad Pro hints at a major update
- Apple TV surprises with strong growth in sports in 2025
- Apple classifies the iPhone SE and other devices as obsolete
- ChatGPT Note: Beta version provides evidence of advertising
- Apple in the crosshairs: Politicians demand uniform age verification
- Apple in focus: New developments in the dispute with xAI
- Apple increases donation volume through limited-time Apple Pay promotion
- Apple is developing approaches for AirPods with EEG sensors
- Apple Maps awaits EU decision on gatekeeper status
- Podcasts cause puzzlement: Apple app starts automatically
- Apple unveils festive TV spot for 2025: „A Critter Carol“
- Apple remains at the center of the Europe-wide CSAM debate
- Cell Broadcast: All-clear completes DE Alert
- Perplexity delivers AI-powered shopping & PayPal payment
- Apple attacks India's antitrust reform and revenue formula
- Apple is being sued again over alleged conflict minerals
- China launch of Apple Intelligence is getting closer
