Apple Introduces $2M Bug Bounty for Spyware-Level Exploits

[turbineseaplane]

What information are we talking about being worried about?

Despite all of our concerns about it, one way or another it seems like those that want to know have figured out who we are, where we are, where we go, what we do, what we buy, our SS #, all our vitals and family tree, our credit risk, net worth, assets on hand, if you're sick, if you're pregnant .. on and on and on..

What info are we protecting exactly?
Just credit card numbers from fraud I guess?

Don't misunderstand me -- I want to protect it all!
It just seems like we are largely running plays after the game already ended.

 

[repoman016]

Great program, worst execution. There have been so many exploits that have been disclosed and those who find it do not get even remotely what Apple promises them. This is the reason many exploits remain hidden and get sold to higher bidders

Are some exploits more dangerous (worth more) than others? Genuinely curious

 

[ArtOfWarfare]

May I ask who you do trust?
Or do you trust no one and use Linux exclusively?

No way, Linux has way too many ties to the NSA.

There's only one OS that can be trusted, which was chosen by Him - TempleOS.

 

[SAIRUS]

I think the overall culture shift at Apple is now for others to fix things. A bug bounty program is great as a supplement, but not releasing high quality software from the get go for what Apple charges seems to be mitigating that extra price you pay for a smooth operation.

 

[ProbablyDylan]

What're the odds the NSA or NSO Group would pay more than Tim?

 

[Havoc035]

This is a really good move. I hope it can help protect those most vulnerable to targeted attacks.

 

[bmark]

2 million is a drop in the bucket for Apple! Nothing to see here.

 

[So@So@So]

Nice move from Apple 👍🏻

 

[justanotherdave]

Funny when Apple increases bug bounties and yet people still just find reason to complain.

Waiting for the day Apple cures cancer, charges $99 for the cure and people say it’s too much.

What I always found funny was companies like Zerodium offering huge payouts for exploits. What’s to stop me from collecting money from Zerodium and then telling my friend about the exploit so they can collect from Apple? How would Zerodium (or NSO or other bad actor) even know we did this? We get paid twice for the same exploit.

 

[tennisproha]

Related to this discussion, Jeff shares some flaws..

View attachment 2566184

Clearly Jeff is a hacker more interested in exploiting 0days. He never cared for bounties anyway

 

[justanotherdave]

The common theme is always "master Apple is right sir"

As opposed to the people who claim Apple is always wrong? What’s the difference?

 

[bmark]

Funny when Apple increases bug bounties and yet people still just find reason to complain.

Waiting for the day Apple cures cancer, charges $99 for the cure and people say it’s too much.

What I always found funny was companies like Zerodium offering huge payouts for exploits. What’s to stop me from collecting money from Zerodium and then telling my friend about the exploit so they can collect from Apple? How would Zerodium (or NSO or other bad actor) even know we did this? We get paid twice for the same exploit.

Apple has nothing to do with curing cancer! Maybe if Apple put more resources dealing with iOS bugs then people would be more excited.

 

[IceCool]

Related to this discussion, Jeff shares some flaws..

View attachment 2566184

If this becomes the mindset of enough of the right security researchers, I could almost see a potential resurgence in the jailbreak community…

 

[now i see it]

$2million? Thats like you or I giving a beggar on the street one penny.

 

[turbineseaplane]

$2million? Thats like you or I giving a beggar on the street one penny.

Especially since actually juicy bugs/exploits will fetch orders of magnitude more than that from any number of actors out there.

 

[Macusercom]

Are some exploits more dangerous (worth more) than others? Genuinely curious

Yes, of course. Depending on where the bug is, if you are lucky, you get one that can only be patched with new hardware. Essentially rendering every device with said chip vulnerable indefinitely

 

[I7guy]

100%. They've routinely stolen ideas from Android, iOS Jailbreak tweaks/functions as well as from their own Developers (sherlocking).

It's hilarious to me when people go bananas pointing out others copying from Apple with the unbelievably old and tired "Redmond, start your photocopiers!" gag.

View attachment 2566192

Truth is stranger than fiction.

 

[Mousse]

Company	Program Name	Max Reward (USD)	Notes
Apple	Apple Security Bounty	$2,000,000	For zero-click spyware exploit chains (effective Nov 2025); previously $1M.
Google	Vulnerability Reward Program	$1,500,000	For full-chain zero-click RCE in Android; up to $3.1M for Chrome sandbox escapes.
Microsoft	Microsoft Bounty Programs	$250,000	For critical RCE in Hyper-V or Azure; varies by product (e.g., $100K+ for Edge).
Meta	Meta Bug Bounty	$300,000	For mobile RCE exploits; focuses on privacy/compromise in apps like Facebook/Instagram.
Intel	Intel Bug Bounty	$100,000	For critical hardware RCE; lower for software-only issues.

Honestly I trust none of them. Fully, no way.

Yarp. Apple says they'll keep our data private, but it's only a matter of time. Remember way back when, when Google used to say, "Don't be evil"? Big Tech. Birds of a feather...😗🎶

 

[SMGreenfield]

What prevents Apple from secretly bidding on exploits being auctioned on the open market? They have unlimited funds.

And how does someone even SELL an exploit to the “highest bidder?” Wouldn’t the seller have to prove the exploit works, thus revealing critical aspects of the exploit?

 

[Mac Fly (film)]

Yarp. Apple says they'll keep our data private, but it's only a matter of time. Remember way back when, when Google used to say, "Don't be evil"? Big Tech. Birds of a feather...😗🎶

Only a matter of time? SCA passed 39 years ago.

 

[maxoakland]

Remember when that guy found that exploit and Apple refused to pay him the bug bounty? Why would anyone trust them to follow through?

 

[con2apple]

How would Zerodium (or NSO or other bad actor) even know we did this? We get paid twice for the same exploit.

Now you understand how the world works.

 

[MysteriousStain]

that extra price you pay for a smooth operation.

Going to be hearing Sade in my head all day now!

 

[turbineseaplane]

Going to be hearing Sade in my head all day now!

Coast to coast, LA to Chicago

 

[Mac Fly (film)]

Remember when that guy found that exploit and Apple refused to pay him the bug bounty? Why would anyone trust them to follow through?

Apple would have a clause in this program for exploits already found but not yet published fixes for—obviously they wouldn't advertise these to anyone. If I was to bet I'd say this is what happened that guy but he couldn't accept it—found an unfixed exploit and reported it and Apple told him they had already found it. I don't see what Apple would have to gain, unless they had a rouge employee. You would imagine if they did they would have pressed charges.