Pierluigi Paganini October 10, 2025

Apple raised bug bounties to $2M for zero-click RCEs, doubling payouts. Since 2020, it’s paid $35M to 800 researchers.

Apple doubled its bug bounty rewards, now offering up to $2 million for zero-click remote code execution flaws. Since 2020, the tech giant has paid $35M to 800 researchers.

Apple aims to pay exploit chains comparable to mercenary and commercial spyware vendors. The company announced that bonuses (Lockdown Mode bypasses, beta bugs) can push payouts above $5M.

Apple expanded its bug bounty to cover more attack surfaces, offering up to $300K for one-click WebKit sandbox escapes and $1M for wireless proximity exploits. It also introduced Target Flags, enabling researchers to prove exploitability for top categories like RCE and TCC bypasses and receive faster payouts once verified.

Apple offers a $100,000 bounty for a complete, no-user-interaction Gatekeeper bypass on macOS, aiming to encourage deeper research into this key security defense.

“We’re doubling our top award to $2 million for exploit chains that can achieve similar goals as sophisticated mercenary spyware attacks.” reads the announcement published by Apple. “This is an unprecedented amount in the industry and the largest payout offered by any bounty program we’re aware of — and our bonus system, providing additional rewards for Lockdown Mode bypasses and vulnerabilities discovered in beta software, can more than double this reward, with a maximum payout in excess of $5 million.”

Apple’s Security Engineering and Architecture (SEAR) team studies complex mercenary-spyware-style exploit chains to harden defenses. The Security Bounty now raises rewards to incentivize researchers to find multi-step, cross-boundary attacks and offers higher payouts for five key attack vectors to drive deeper, offensive-style research:

The company prioritizes high payouts for exploit chains that mirror real-world, sophisticated attacks on current hardware/software and use Target Flags.

Apple’s new Target Flags let researchers prove exploit capabilities like code execution or memory control. Target Flags are built into Apple OSs to enable the company to verify findings automatically and issue faster, transparent bounty rewards, even before patches are released, enhancing trust and efficiency.

Rewards are based on demonstrated impact (outcome), boosting remote-entry payouts while reducing rewards for less realistic vectors. The company notes that standalone or unlinked components remain eligible but at lower amounts.

Apple doubled its wireless proximity bounty to $1 million, expanding coverage to all radio interfaces in its latest devices with C1/C1X and N1 chips.

Reward guidelines prioritize issues affecting the latest devices and OS, like iPhone 17 with Memory Integrity Enforcement. Exceptional research in beta releases or bypassing Lockdown Mode earns bonuses. Low-impact reports now receive $1,000 awards. For 2026, Apple will provide 1,000 iPhone 17 devices to civil society for protection against mercenary spyware and expand its Security Research Device Program to include iPhone 17, giving priority bounty consideration to discoveries on these devices.

“Until the updated awards are published online, we will evaluate all new reports against our previous framework as well as the new one, and we’ll award the higher amount. And while we’re especially motivated to receive complex exploit chains and innovative research, we’ll continue to review and reward all reports that significantly impact the security of our users, even if they’re not covered by our published categories.” concludes the report. “We look forward to continuing to work with you to help keep our users safe!”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Apple)