Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Apple Introduces $2M Bug Bounty for Spyware-Level Exploits

MacRumors

MacRumors

macrumors bot
Original poster
Apr 12, 2001
69,588
40,761


Apple has announced a major overhaul of its bug bounty program that doubles the top reward to $2 million for exploit chains that can match the sophistication of mercenary spyware attacks.

bug-security-vulnerability-issue-fix-larry.jpg

With bonuses for Lockdown Mode bypasses and vulnerabilities found in beta software, Apple says its total payouts could exceed $5 million. The company claims this represents "the largest payout offered by any bounty program."

The program now places greater emphasis on complete exploit chains rather than individual vulnerabilities, reflecting the reality that real-world attacks typically chain multiple bugs together. The rewards for remote-entry vectors have also been substantially increased, although categories not commonly seen in actual attacks will receive lower payouts.

As part of the overhaul, Apple is introducing "Target Flags," which are inspired by capture-the-flag games. When a researcher successfully exploits a vulnerability, they can capture a specific flag that proves exactly what level of access they achieved, such as code execution or arbitrary read/write capabilities.

These flags can be verified by Apple, so researchers who submit reports using them can receive notification of their bounty award immediately after Apple validates the captured flag. The payment is also issued in an upcoming payment cycle, meaning researchers won't have have to wait until Apple releases a software fix, which can take months. Previously, researchers often had to wait for Apple to patch a vulnerability before receiving payment.

The updated program comes into effect from November 2025. Apple is also expanding categories to include one-click WebKit sandbox escapes worth up to $300,000 and wireless proximity exploits over any radio worth up to $1 million. A complete Gatekeeper bypass on macOS now earns $100,000.

More information on the changes can be found on Apple's Security Research website. Apple says it has paid out over $35 million to more than 800 researchers since launching the public program in 2020.

Article Link: Apple Introduces $2M Bug Bounty for Spyware-Level Exploits
 
Article Link
https://www.macrumors.com/2025/10/10/apple-bug-bounty-program-overhauled/
  • Like
Reactions: T'hain Esh Kelch and Saipher
Apple-achian said:
This is why I trust Apple with my personal data.
Click to expand...
CompanyProgram NameMax Reward (USD)Notes
AppleApple Security Bounty$2,000,000For zero-click spyware exploit chains (effective Nov 2025); previously $1M.
GoogleVulnerability Reward Program$1,500,000For full-chain zero-click RCE in Android; up to $3.1M for Chrome sandbox escapes.
MicrosoftMicrosoft Bounty Programs$250,000For critical RCE in Hyper-V or Azure; varies by product (e.g., $100K+ for Edge).
MetaMeta Bug Bounty$300,000For mobile RCE exploits; focuses on privacy/compromise in apps like Facebook/Instagram.
IntelIntel Bug Bounty$100,000For critical hardware RCE; lower for software-only issues.

Honestly I trust none of them. Fully, no way.
 
  • Like
  • Disagree
Reactions: Bigg Macc, JohnWick1954, gregmac19 and 11 others
Macusercom said:
Great program, worst execution. There have been so many exploits that have been disclosed and those who find it do not get even remotely what Apple promises them. This is the reason many exploits remain hidden and get sold to higher bidders
Click to expand...
Absolutely right. This is something that many people just don't appreciate. There is money to be made in finding vulnerabilities and those doing so may wish to sell to the highest bidder, rather than doing the right thing. All companies that create software or hardware that will eventually become the target of hackers should be offering a bug-bounty program. Because if they don't pay for the information, someone else will.
 
  • Like
Reactions: JohnWick1954, max2, maxoakland and 1 other person
Jumpthesnark said:
Good, they should be encouraging people to find vulnerabilities, and they have the money to do this.
Click to expand...
Apple refuses to add another drop of water in the vapor chamber in the new iPhone 17 Pros which cost approax 0.005 ct.

I doubt they really want to spend money on this. In fact lot of bugs have been reported but never been rewarded.

They either ignore it or release change logs saying they found it on their own!
 
  • Like
  • Love
  • Disagree
Reactions: JohnWick1954, maxoakland, subjonas and 1 other person
t0rqx said:
They have done this before with certain apps. Stealing their ideas and implementing it in their OS.
Click to expand...

100%. They've routinely stolen ideas from Android, iOS Jailbreak tweaks/functions as well as from their own Developers (sherlocking).

It's hilarious to me when people go bananas pointing out others copying from Apple with the unbelievably old and tired "Redmond, start your photocopiers!" gag.

Screenshot 2025-10-10 at 07.41.12.png
 
  • Like
  • Disagree
Reactions: fahlman, JohnWick1954, maxoakland and 1 other person
Mac Fly (film) said:
Honestly I trust none of them. Fully, no way.
Click to expand...
Why?
Unlike government agencies or small businesses, these companies at least place some value on security.

Did you know that the software company Modern Solution considers it safe to store the master password for the server on the server? That the German government has simply declared unencrypted electronic mailboxes for lawyers and courts to be “secure and encrypted” by law?

We don't need to talk about the motives of the largest companies. But I trust them more to store data securely than I trust my own government.
 
  • Love
  • Like
  • Haha
Reactions: maxoakland, zzu and ArtOfWarfare
con2apple said:
Why?
Unlike government agencies or small businesses, these companies at least place some value on security.

Did you know that the software company Modern Solution considers it safe to store the master password for the server on the server? That the German government has simply declared unencrypted electronic mailboxes for lawyers and courts to be “secure and encrypted” by law?

We don't need to talk about the motives of the largest companies. But I trust them more to store data securely than I trust my own government.
Click to expand...
Because of dodgy secrecy laws. To keep us all safe, of course.
 
  • Like
Reactions: maxoakland and turbineseaplane
turbineseaplane said:
It's hilarious to me when people go bananas pointing out others copying from Apple with the unbelievably old and tired "Redmond, start your photocopiers!" gag.
Click to expand...
That's because of habit. Long-time Apple fans (like most editors at Macrumors) still live with the idea of protecting a small, innocent underdog. One that could be crushed at any time, any day, by the evil, evil, evil people.

They say it takes 50 years for a new idea to spread.
This actually comes from science, but somehow applies to everything else as well.

For over fifteen years, Apple has been one of the largest and most powerful tech companies in the world.
But somehow, many people still haven't realized this.
 
  • Like
  • Love
Reactions: Adam-Jobs, JohnWick1954, maxoakland and 3 others
con2apple said:
That's because of habit. Long-time Apple fans (like most editors at Macrumors) still live with the idea of protecting a small, innocent underdog. One that could be crushed at any time, any day, by the evil, evil, evil people.

They say it takes 50 years for a new idea to spread.
This actually comes from science, but somehow applies to everything else as well.

For over fifteen years, Apple has been one of the largest and most powerful tech companies in the world.
But somehow, many people still haven't realized this.
Click to expand...

It's sort of a strange dichotomy.

On one hand we have people acting like Apple is still the plucky underdog and shouldn't be regulated in any way at all, but in another thread the same type of user will post how "the 1 zillion active Apple users" justifies their every move as a success and "right" and they should be lauded and defended and allowed to do whatever they want.

The common theme is always "master Apple is right sir"
 
  • Like
Reactions: djgamble, JohnWick1954, Dylan33x and 1 other person
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back