Apple has announced a major overhaul of its Security Bounty program, doubling the top payout to $2 million for researchers who discover zero-click exploit chains. The new maximum applies to vulnerabilities that can remotely compromise a device without user interaction, matching the sophistication of mercenary spyware attacks used by state-level adversaries.
The company says its expanded reward system will officially take effect in November 2025 and could exceed $5 million when including bonuses for Lockdown Mode bypasses and bugs found in beta software. Apple describes the change as “the largest payout offered by any bounty program” and part of its broader effort to encourage responsible disclosure of high-impact vulnerabilities.
This expansion comes as Apple continues to strengthen the security foundation of iOS, macOS, and its other platforms through features like Lockdown Mode and Memory Integrity Enforcement, which debuted on the A19 and A19 Pro chips in the iPhone 17 and iPhone 17 Pro. Despite these measures, the company acknowledges that sophisticated adversaries continue to adapt, requiring greater incentives for researchers to uncover and report critical flaws before they can be exploited.
Under the updated program, Apple is introducing Target Flags, a new system that lets researchers demonstrate exactly what level of access they achieved during an exploit, such as arbitrary code execution or system-wide read/write. Once Apple verifies the captured flag, the researcher will receive an accelerated award without waiting for a public fix, streamlining what was previously a months-long process.
The company has also raised rewards in several key categories. A complete Gatekeeper bypass on macOS will now earn $100,000, while chaining WebKit code execution with sandbox escapes can reach up to $300,000. Exploits involving unauthorized iCloud access or wireless proximity hacks over any radio interface in the latest devices can yield $1 million. Even low-impact findings outside major bounty categories will now qualify for smaller $1,000 rewards, encouraging new participants to enter the field.
Since opening the program to all researchers in 2019, Apple says it has paid over $35 million to more than 800 contributors, including multiple half-million-dollar awards. The new structure aims to keep top security talent focused on improving Apple’s ecosystem rather than selling exploits on the black market, where private brokers have been known to offer multi-million-dollar sums for the same vulnerabilities.
