New Delhi: Apple is raising the stakes for security researchers. The company has announced a major update to its Apple Security Bounty program, doubling its highest reward to $2 million for discovering exploit chains that match the sophistication of mercenary spyware attacks. The payout can even exceed $5 million if bonuses are included, the highest in the technology industry so far.
The program, launched publicly in 2020, has already awarded over $35 million to more than 800 researchers, according to Apple. “We’re doubling our top award to $2 million for exploit chains that can achieve similar goals as sophisticated mercenary spyware attacks,” the company said in its official blog post.
Apple raises payouts across security categories
Under the new structure, Apple is increasing or doubling rewards across several areas to drive more advanced research.
- A complete Gatekeeper bypass on macOS now earns $100,000.
- Broad unauthorised iCloud access fetches $1 million, a category where “no successful exploit has been demonstrated to date.”
- One-click WebKit sandbox escapes can earn up to $300,000, while wireless proximity exploits across any radio technology will receive up to $1 million.
The company said these expanded categories cover more attack surfaces, including proximity-based attacks and browser vulnerabilities, two of the most exploited vectors in the industry. Apple noted that the goal is to encourage “highly advanced research on our most critical attack surfaces despite the increased difficulty.”
New ‘Target Flags’ to speed up rewards
A big change is the introduction of Target Flags, a system designed to make bounty verification faster and more transparent. These built-in flags act as proof points that researchers can “capture” while demonstrating a vulnerability. Each flag corresponds to a measurable level of exploitability, such as register control, arbitrary read/write, or full code execution.
“Researchers who submit reports with Target Flags will qualify for accelerated awards, which are processed immediately after the research is received and verified, even before a fix becomes available,” Apple explained. That means researchers can get paid much faster, a key concern often raised in bug bounty circles.
Bigger rewards for complex exploit chains
The revised bounty system gives priority to exploit chains that combine multiple vulnerabilities, the kind typically used in high-end spyware campaigns. Apple’s Security Engineering and Architecture (SEAR) team said these attacks “chain many vulnerabilities together, cross different security boundaries, and incrementally escalate privileges.”
Here’s how Apple has raised the bar for its top rewards:
| Attack Type | Previous Maximum | New Maximum |
|---|---|---|
| Zero-click chain (no user interaction) | $1M | $2M |
| One-click chain | $250K | $1M |
| Wireless proximity attack | $250K | $1M |
| Physical device access | $250K | $500K |
| App sandbox escape | $150K | $500K |
Apple said the top rewards will apply only to exploits that target the latest hardware and software, such as the iPhone 17 series with Memory Integrity Enforcement, introduced earlier this year.
Encouraging civil society protection
Apple is also extending its focus on digital safety for activists and journalists. In 2026, the company plans to distribute 1,000 iPhone 17 devices equipped with its latest security features to civil society organisations that help people at risk of spyware attacks. This follows Apple’s ₹83 crore ($10 million) cybersecurity grant announced in 2022 to support groups investigating mercenary spyware.
The company said this effort “reflects our continued commitment to make our most advanced security protections reach those who need them most.”
What this means for researchers
With payouts now crossing the $5 million mark (including bonuses), Apple is setting a new benchmark for the global security research community. The new structure signals a shift towards valuing verifiable, high-impact exploit research over theoretical vulnerabilities.
The changes will officially take effect in November 2025, and Apple will publish detailed reward categories and guidelines on the Apple Security Research site. Until then, the company said it will evaluate all new reports against both old and new frameworks and “award the higher amount.”
For a company that already calls the iPhone “the most secure consumer device in the world,” this is Apple’s way of keeping hackers busy, and on its payroll, not the dark web’s.