Apple has announced a major overhaul to its Security Bounty program, raising the top payout for exploit chains that mimic advanced mercenary spyware from $1 million to $2 million, with added bonus incentives pushing possible rewards beyond $5 million. Their newly introduced “Target Flags” system allows researchers to more efficiently prove exploitability and potentially receive accelerated payouts even before fixes are publicly released. The expanded program also boosts rewards in other categories: zero-click remote code execution, one-click exploits, wireless proximity attacks, and sandbox escapes all see their maximums increased. Apple says it has paid over $35 million to more than 800 researchers since opening the program to the public in 2020.
Key Takeaways
– Apple has doubled its base top bounty from $1 million to $2 million for sophisticated exploit chains, with bonus structures raising feasible payouts above $5 million.
– The company is broadening the scope of eligible vulnerabilities (e.g. for wireless proximity, sandbox escapes, and Lockdown Mode bypasses) and implementing “Target Flags” for faster verification and payment.
– Since making its bug bounty public in 2020, Apple has awarded over $35 million to more than 800 security researchers, reinforcing a strategy of outsourcing advanced vulnerability detection to external experts.
In-Depth
Apple’s latest push to fortify its security isn’t just incremental — it’s a statement. Earlier this month, the company revealed a revamped Security Bounty program that doubles its highest base reward (from $1 million to $2 million) for exploit chains that can pull off attacks akin to those used by mercenary spyware firms. But that’s just the floor: with bonus incentives tied to bypassing features like Lockdown Mode or discovering vulnerabilities in beta software, total rewards now can cross $5 million. The change goes live in November 2025.
This isn’t merely a generosity play. Apple is shifting how it incentivizes independent security researchers. A new “Target Flags” system lets researchers provide objective markers of exploitability, so Apple can validate and pay even before deploying a patch. That accelerates reward timelines and signals serious commitment to openness. Meanwhile, the categories eligible for higher payouts are expanding. For instance: zero-click remote code execution attacks (which require no user interaction) now top out at $2 million; one-click exploits and wireless proximity attacks also enjoy significant hikes; full sandbox escapes get larger ceilings too.
The rationale is clear. Apple contends that the only real system-level threat observed in the wild has come from commercial spyware — elite, multi-layered attack chains deployed against high-value targets. The new bounty structure is a countermeasure: if researchers can profit more by ethically reporting exploits, fewer vulnerabilities will land in the hands of adversaries. In support of this approach, Apple notes that since opening the program to the public in 2020 (previously invitation-only), it has already awarded over $35 million to more than 800 researchers (some getting as much as $500,000 in past payouts). This demonstrates that Apple is leaning hard into community-sourced defenses.
Still, challenges remain. High bounties can inflate expectations and raise the bar for what qualifies for payment, potentially limiting who can realistically win the top rewards. Also, the most critical exploits are precisely the hardest to discover and prove — so only highly skilled teams or individuals will compete at that frontier. That said, by aligning its incentives with those of elite hackers and expanding the scope of what it’ll pay for, Apple is clearly tilting toward a more collaborative, aggressive posture in defending its devices — at a price tag that signals it’s dead serious.