Apple announced a major overhaul of its Security Bounty program, doubling its maximum payout to $2 million for zero-click exploit chains and establishing what it calls the industry’s highest security research rewards. The changes, set to take effect in November 2025, represent Apple’s most aggressive move yet to combat the rising threat of state-sponsored mercenary spyware.
The tech giant has increased its top award from $1 million to $2 million specifically for exploit chains that mirror sophisticated mercenary spyware attacks requiring no user interaction[6]. However, the total possible payout extends even further—researchers who discover critical vulnerabilities in beta software or bypass Lockdown Mode protections could receive up to $5 million through Apple’s bonus system[2][4].
Responding to Escalating Threats
The dramatic increase comes as Apple faces mounting pressure from professional-grade spyware operations. Recent attacks demonstrated the severity of the problem, including last month’s image processing vulnerability that enabled sophisticated attackers to compromise devices silently through a single malicious image file in a chat thread[1].
“We are lining up to pay many millions of dollars here, and there’s a reason,” explained Ivan Krstic, Apple’s vice president of security engineering and architecture. “We want to make sure that for the hardest categories, the hardest problems, the things that most closely mirror the kinds of attacks that we see with mercenary spyware, that the researchers who have those skills and abilities and put in that effort and time can get a tremendous reward”[2].
Apple emphasized that the only system-level iOS attacks it has observed in the wild originated from mercenary spyware, which has been historically associated with state actors and typically targets specific individuals[6].
Expanded Payout Structure
Beyond the headline-grabbing $2 million figure, Apple restructured rewards across multiple categories. Exploit chains requiring one-click user interaction now command up to $1 million, a fourfold increase from the previous $250,000[4]. Attacks requiring physical proximity to devices also saw their maximum reward jump to $1 million from $250,000, while the ceiling for attacks requiring physical access to locked devices doubled to $500,000[6].
Researchers who successfully demonstrate chaining WebContent code execution with a sandbox escape can now receive up to $300,000[4]. The company also introduced a new Target Flag system that enables researchers to receive accelerated awards even before a fix becomes available[2].
Track Record and Industry Context
Since launching its public bug bounty program in 2019, Apple has distributed over $35 million to more than 800 security researchers, including multiple $500,000 payouts[1][6]. While top-dollar rewards remain rare, the expanded program signals Apple’s commitment to outbidding the shadowy exploitation markets where mercenary spyware dealers hunt for identical vulnerabilities[1].
The program has faced criticism in the past for its relatively conservative approach compared to industry peers. Security experts had previously called the program “crippled” due to Apple’s reputation for being reluctant with payouts[2]. This latest overhaul appears designed to address those concerns head-on by offering what Apple describes as the industry’s highest rewards.
Enhanced Security Features
Apple pointed to recent security innovations like Lockdown Mode and Memory Integrity Enforcement as measures that make mercenary attacks more difficult to execute. Lockdown Mode represents an upgraded security architecture in Safari that restricts certain functionalities to prevent exploitation[4][6]. Memory Integrity Enforcement specifically combats memory corruption vulnerabilities that attackers frequently exploit.
However, the company acknowledged that bad actors continuously evolve their techniques. The enhanced bounty program aims to “encourage highly advanced research on [its] most critical attack surfaces despite the increased difficulty”[6].
What This Means for Security
The expanded bounty program transforms security research into a direct competition between legitimate tech companies and exploitation markets. By offering payments that rival or exceed what underground buyers might pay, Apple hopes to incentivize researchers to disclose vulnerabilities responsibly rather than selling them to malicious actors.
The changes also reflect the harsh reality of modern mobile security—$2 million payouts exist because the attack methods are real, active, and lucrative[1]. As state-sponsored hacking operations and commercial spyware vendors continue to target high-value individuals, the arms race between attackers and defenders shows no signs of slowing.
For security researchers, the November rollout presents an unprecedented opportunity to earn significant rewards while contributing to the protection of billions of Apple device users worldwide. The combination of higher payouts, expanded categories, and accelerated award processing through the Target Flag system creates powerful incentives for the world’s best security talent to focus their efforts on Apple’s platforms.
Sources:
[1] https://www.datamation.com/security/apple-doubles-bug-bounty/
[3] https://security.apple.com/bounty/
[5] https://security.apple.com/bounty/categories/
[7] https://www.axios.com/2025/10/10/apple-bug-bounty-payments-iphone-spyware
Photo by JillWellington on Pixabay