Apple is strengthening its commitment to security and launching a comprehensive overhaul of its bug bounty program. The goal is clear: to better motivate security researchers to find complex vulnerabilities before they are exploited by attackers. The maximum reward is increasing to $2 million.
For years, Apple has been considered one of the most secure technology companies in the world. But with the increasing sophistication of spyware attacks, especially by state-backed actors, the pressure to be even better prepared is growing. Therefore, the bug bounty program is being revised and expanded with new mechanisms designed to reward researchers not just for discovering individual bugs, but for entire attack chains.
Focus on exploit chains instead of individual bugs
Until now, Apple's bug bounty program has primarily focused on reporting individual vulnerabilities. In the future, however, the focus will be on complete exploit chains—realistic attack scenarios in which multiple vulnerabilities are combined. This reflects how real attacks unfold in practice. For particularly sophisticated exploit chains comparable to the complexity of spyware attacks, Apple will now offer up to $2 million. This doubles the previous maximum amount.
Additional bonuses and higher total payouts
In addition to the higher reward, Apple is introducing new bonus payments. For bypassing lockdown mode or finding vulnerabilities in beta software, the total payout can rise to over $5 million, according to Apple. The company calls this the "highest payout of any bug bounty program worldwide."
At the same time, rewards for attack types that occur less frequently in real-world settings will be reduced. Apple aims to align the program more closely with the actual threats that are relevant in practice.
New “target flags” for quick validation
A key new element are so-called target flags. This idea originates from capture-the-flag competitions, which are common in security research. Researchers who successfully exploit a vulnerability can capture a digital flag that precisely describes the access they have achieved—such as code execution or full read and write permissions.
Apple reviews these flags and then confirms the exploit's validity. Once this happens, the researcher is notified directly of their reward, and payment is made in the next payment cycle. This eliminates the previous problem of researchers often having to wait months for their reward until Apple fixed the vulnerability in an update.
New categories and increased premiums
The revised bug bounty program will take effect in November 2025. With its launch, Apple is expanding the number of categories and significantly increasing several reward tiers. One-click WebKit sandbox escapes will now offer up to $300,000. Wireless proximity exploits, which enable attacks over any wireless connection, will be rewarded with up to $1 million. A complete Gatekeeper bypass on macOS will bring in $100,000.
This allows Apple to cover a broader range of attack types—from browser-based exploits to wireless attacks to security mechanisms in macOS. These increases demonstrate that Apple is focusing primarily on areas where the risk of real attacks is particularly high.
Background and previous results
Apple launched its public bug bounty program in 2020. Since then, the company says it has paid out more than $35 million to over 800 security researchers. The new structure aims to further increase these amounts by increasing rewards and accelerating processing.
Apple provides additional information on the new rules, reward levels, and categories on its official security research website. The company emphasizes that user protection remains a core part of its philosophy and that collaboration with the international research community is crucial to its long-term success.
Apple sets new standards in security research
Apple is massively increasing its incentives for security researchers. With up to $2 million for complex exploit chains, new target flags for rapid validation, and expanded categories, the company is setting new standards in digital security.
The program demonstrates how seriously Apple takes the threat of modern spyware and how important close collaboration with independent researchers has become. Doubling the rewards, faster payouts, and a stronger focus on realistic attack scenarios make the bug bounty program one of the most attractive in the industry—and a clear signal that security is Apple's top priority. (Image: Shutterstock / Dragon Claws)
- Major restructuring at Apple: Jeff Williams leaves
- Apple TV+ unveils new original series from the Breaking Bad creator
- Netflix brings party games into the living room – with the iPhone
- WhatsApp introduces the new Liquid Glass design for the first time on iOS
- Apple Stores use new MagSafe chargers for the iPhone 17
- Apple close to agreement with the EU on Digital Markets Act
- Apple secures NPR podcast chief for growth
- Apple improves AirPods with new firmware update 8A358
- Apple Arcade News: These games will launch in November 2025
- Chat control: IT industry and child protection association warn
- What's new in iOS 26.1 Beta 2 – Fine-tuning for everyday life and design
- iOS 26.1: Swipe gesture replaces tap to stop alarm
- iPadOS 26.1 Beta 2: Slide Over celebrates its comeback on the iPad
- Apple is building up John Ternus – will he be the next CEO?
- WhatsApp: Introduction of usernames is getting closer
- Apple Q4 2025: Results to be presented on October 30
- Apple removes climate-neutral label – but goals remain the same
- iPhone 17 series surprises with strong demand and records
- Disney+ announces redesign of the app for iOS and tvOS
