Apple is significantly expanding its Security Bounty program this November, introducing some of the highest vulnerability rewards in the industry. The top award has been doubled from $1 million to $2 million for the discovery of exploit chains that mirror sophisticated mercenary spyware attacks and require no user interaction. In certain cases, payouts can exceed $5 million for uncovering even more critical flaws, such as vulnerabilities in beta software or successful bypasses of Lockdown Mode—Apple’s advanced security layer integrated into Safari.
Key Reward Increases
- Zero-Click Exploit Chains: Up to $2 million, with potential bonuses exceeding $5 million for higher-risk
discoveries like Lockdown Mode bypasses. - One-Click Exploit Chains: Increased from $250,000 to $1 million.
- Physical Proximity Attacks: Raised to $1 million from $250,000.
- Locked Device Access Attacks: Increased from $250,000 to $500,000.
- WebContent + Sandbox Escape: Up to $300,000.
Since introducing the program, Apple has awarded over $35 million to more than 800 security researchers. While multi-million payouts are rare, the company has issued several $500,000 rewards.
Why This Matters
Apple says the only system-level attacks it has seen in the wild have come from mercenary spyware—typically deployed by state-backed actors targeting individuals. Measures like Lockdown Mode and Memory Integrity Enforcement aim to make these attacks harder by defending against memory corruption vulnerabilities. The increased payouts are designed to attract and reward advanced research into Apple’s most critical security weak points, even as attack methods continue to evolve.
By raising payouts, Apple is sending a clear message: if hackers can find the most dangerous bugs, the company is willing to pay top dollar to secure its devices before bad actors can exploit them.
