Apple is making its bug bounty program more rewarding by doubling its top payout to $2 million. The move comes as part of a larger effort to encourage ethical hackers to find and report vulnerabilities in Apple’s software and devices.
The company has long faced criticism for offering smaller rewards compared to competitors like Google and Microsoft. However, this new update signals a major shift in how Apple values cybersecurity research.
Ivan Krstić, Apple’s vice president of Security Engineering and Architecture, told Wired that the company intends to pay “many millions of dollars” to those uncovering critical flaws. “We want to ensure that researchers tackling the hardest problems—those that mirror real-world mercenary spyware attacks—receive substantial rewards,” he said.
Expanded Categories and Early Rewards
Alongside the increased payout, Apple announced new “accelerated awards” and expanded its list of eligible exploit categories. These include wireless proximity attacks and one-click WebKit sandbox escapes, both of which represent some of the most severe vulnerabilities in modern devices.
A new Target Flag system will also allow researchers to receive rewards even before Apple releases a fix. This aims to speed up security collaboration while maintaining transparency with ethical hackers.
To attract new participants, Apple has added a permanent $1,000 tier for lower-impact discoveries. This entry-level reward encourages aspiring security researchers to participate and contribute to the safety of Apple’s ecosystem.
A Growing Commitment to Security
Apple first introduced its security bounty program in 2016, initially restricted to invited researchers. The company expanded it to the public in 2020 and has since paid over $35 million to more than 800 researchers worldwide.
The revamped program, set to launch in November 2025, marks another milestone in Apple’s ongoing effort to stay ahead of evolving cyber threats. With higher payouts and broader participation, Apple aims to build stronger defenses against the complex and ever-changing world of digital exploits.
