Apple Doubles Security Bounty Rewards to $2 Million

Apple is dramatically revamping its Security Bounty initiative by raising the top reward to $2 million for exploit chains that replicate the capabilities of high-end spyware attacks.

Since the public program launched in 2020, Apple says it has awarded over $35 million to more than 800 security researchers, with individual reports having secured rewards up to $500,000.

The enhanced program introduces larger payouts, new research categories, and a flag-based system called Target Flags that helps validate exploit quality and speeds the reward process.

Under the new structure, exploit chains that meet the sophistication of mercenary spyware attacks can fetch the new maximum of $2 million. But that is just the starting point. Bonuses for Lockdown Mode bypasses or issues detected in beta software could push possible rewards beyond $5 million in certain cases.

Other reward levels are rising too. For instance, Apple is now offering $100,000 for a complete macOS Gatekeeper bypass, and $1 million for unauthorized broad iCloud access, both areas in which no fully validated exploit has been publicly demonstrated so far. The program also widens its scope. Apple is adding incentives for one-click WebKit sandbox escapes (up to $300,000) and wireless proximity exploits leveraging any radio (up to $1 million).

A key innovation is the introduction of Target Flags, a mechanism embedded in Apple’s platforms that lets researchers concretely demonstrate exploit capability, such as arbitrary code execution or register control. Those flags help Apple verify findings and enable rewards to be granted immediately after validation, without waiting for a full fix to ship.

Because these flags can be programmatically assessed, Apple plans to issue payments in the next payment cycle once the flag is confirmed, rather than delaying until a patch is released.

Apple emphasizes that the revamped program rewards not just theory, but real exploit chains that span multiple vulnerabilities and cross security boundaries. Partial exploits remain eligible, but full, verifiable chains get the most significant awards.

Beginning November 2025, Apple will publish full details of the updated categories, rewards, and bonus rules along with guidance for using Target Flags. The company will evaluate incoming reports under both old and new criteria, awarding whichever yields the higher reward.