Apple Offers Up to $2 Million for Finding iPhone Vulnerabilities
Apple Offers Up to $2 Million for Finding iPhone Vulnerabilities
- Why Enterprise RAID Rebuilding Succeeds Where Consumer Arrays Fail?
- Linus Torvalds Rejects MMC Subsystem Updates for Linux 7.0: “Complete Garbage”
- The Man Who Maintained Sudo for 30 Years Now Struggles to Fund the Work That Powers Millions of Servers
- How Close Are Quantum Computers to Breaking RSA-2048?
- Why Windows 10 Users Are Flocking to Zorin OS 18 Instead of Linux Mint?
- How to Prevent Ransomware Infection Risks?
- What is the best alternative to Microsoft Office?
Apple Offers Up to $2 Million for Finding iPhone Vulnerabilities
Apple has announced a dramatically enhanced security bounty program that sets new industry records, with rewards reaching up to $5 million for critical vulnerabilities.
The tech giant’s unprecedented investment in security research reflects its commitment to staying ahead of sophisticated threats, particularly commercial surveillance software.
Record-Breaking Bounties: From $2 Million to $5 Million
Starting November 2025, Apple’s upgraded bounty program will double its maximum base reward to $2 million—the highest baseline amount in any known bug bounty program to date. But the rewards don’t stop there.
For vulnerabilities that bypass Lockdown Mode or exist in beta software, Apple will stack additional bonuses on top of the base reward, potentially bringing the total payout to an eye-watering $5 million. This means researchers who discover critical flaws could earn between $2 million for standard high-severity bugs and up to $5 million for exceptional discoveries.
According to Ivan Krstic, Apple’s Vice President of Security Engineering and Architecture, the motivation is clear: “We’ve established bounties reaching into the millions of dollars with very deliberate intent. We want the top researchers who can crack the toughest vulnerabilities and address the most complex threats—particularly those who can simulate commercial spyware attack techniques—to receive generous compensation that matches their technical capabilities and the time they invest.”
Expanded Categories and Increased Payouts
Since launching its vulnerability bounty program nearly a decade ago, Apple has consistently offered industry-leading maximum rewards—$200,000 in 2016, rising to $1 million in 2019. To date, the program has paid over $35 million to more than 800 researchers worldwide.
The 2025 update significantly raises rewards across multiple vulnerability categories:
- Complete Gatekeeper bypass: Now worth $100,000
- Unauthorized iCloud access: Increased to $1 million
- One-click WebKit sandbox escape: Set at $300,000
- Wireless proximity vulnerabilities (affecting any radio implementation): Up to $1 million
Notably, the Gatekeeper bypass and unauthorized iCloud access categories represent security boundaries that have never been successfully breached since their introduction—making them particularly attractive targets for skilled researchers.
Introducing Target Flags for Faster Rewards
Apple has introduced a new “Target Flags” mechanism designed to accelerate the reward process. This innovative approach allows researchers to objectively demonstrate exploitability for certain top-tier bounty categories, including remote code execution and Transparency, Consent, and Control (TCC) bypasses.
Researchers who submit reports containing Target Flags will qualify for expedited rewards, with payments processed immediately upon acceptance and verification—even before a fix is publicly released. This change addresses a common complaint in bug bounty programs: lengthy delays between disclosure and payment.
Broader Security Initiatives
Apple’s enhanced bounty program is part of a comprehensive security strategy. In 2022, the company established a $10 million cybersecurity grant to support civil society organizations investigating highly targeted mercenary surveillance attacks.
Last month, with the launch of the iPhone 17, Apple introduced Memory Integrity Enforcement—a new security feature designed to strengthen iPhone defenses against the most common and frequently exploited software vulnerabilities. In conjunction with this release, Apple announced it will provide 1,000 iPhone 17 devices to civil society organizations, specifically targeting high-risk individuals who may be vulnerable to commercial spyware attacks.
A Clear Message to the Security Community
Apple’s statement leaves no room for ambiguity: the company seeks vulnerabilities that reach the same level of severity as attacks from sophisticated commercial surveillance software.
By offering industry-leading rewards, Apple aims to ensure that top security researchers choose to work with the company rather than selling exploits on gray or black markets.
The updated program will take effect in November 2025, with complete details on new and expanded bounty categories, reward standards, and payout criteria to be published on the Apple Security Research website.
For the global security research community, Apple’s message is clear: finding critical iPhone vulnerabilities isn’t just important—it’s potentially life-changing, both financially and in terms of protecting users worldwide from sophisticated threats.
