Apple’s Bug Bounty Program

Apple is now offering a $2M bounty for a zero-click exploit. According to the Apple website:

Today we’re announcing the next major chapter for Apple Security Bounty, featuring the industry’s highest rewards, expanded research categories, and a flag system for researchers to objectively demonstrate vulnerabilities and obtain accelerated awards.

  1. We’re doubling our top award to $2 million for exploit chains that can achieve similar goals as sophisticated mercenary spyware attacks. This is an unprecedented amount in the industry and the largest payout offered by any bounty program we’re aware of ­ and our bonus system, providing additional rewards for Lockdown Mode bypasses and vulnerabilities discovered in beta software, can more than double this reward, with a maximum payout in excess of $5 million. We’re also doubling or significantly increasing rewards in many other categories to encourage more intensive research. This includes $100,000 for a complete Gatekeeper bypass, and $1 million for broad unauthorized iCloud access, as no successful exploit has been demonstrated to date in either category.
  2. Our bounty categories are expanding to cover even more attack surfaces. Notably, we’re rewarding one-click WebKit sandbox escapes with up to $300,000, and wireless proximity exploits over any radio with up to $1 million.
  3. We’re introducing Target Flags, a new way for researchers to objectively demonstrate exploitability for some of our top bounty categories, including remote code execution and Transparency, Consent, and Control (TCC) bypasses ­ and to help determine eligibility for a specific award. Researchers who submit reports with Target Flags will qualify for accelerated awards, which are processed immediately after the research is received and verified, even before a fix becomes available.

Tags: , , ,

Posted on October 15, 2025 at 7:02 AM7 Comments

Comments

KC October 15, 2025 9:55 AM

With 2.35 billion Apple devices to protect, it’s commendable Apple is offering the industry’s highest rewards.

Will look forward to seeing the new li$t in November 2025.

Apple says its rewards for remote-entry vectors are significantly increasing, and ‘rewards for attack vectors not commonly observed in real-world attacks are decreasing.’

Apple: [And] While we’ve never observed a real-world, zero-click attack executed purely through WIRELESS proximity, we’re committed to protecting our users against even the most sophisticated threats. [emphasis mine]

We are therefore expanding our wireless proximity bounty to encompass all radio interfaces in our latest devices, and we are doubling the maximum reward for this category to $1 million.

Also, says Apple:

To rapidly make this revolutionary, industry-leading defense [memory integrity enforcement in iPhone 17] available to members of civil society who may be targeted by mercenary spyware, we will provide a thousand iPhone 17 devices to civil society organizations who can get them into the hands of at-risk users.

It looks like several group may have received supporting grants in the past. Wondering what groups may receive it in the new round.

Clive Robinson October 15, 2025 12:17 PM

@ ALL,

With regards

Apple is now offering a $2M bounty for a zero-click exploit.

The problem is most “bug bounty” operators weasel out in some way and getting 10cents on the dollar is about the most you should expect.

However those running Spyware operations pay for “exclusivity” thus pay a lot more than bug bounty programs will.

Thus if you hand a solid gold zero click attack who would you go to to sell it?

Yup Capitalism ethos says “highest bid” or as the neo-con mantra has it,

“You should never leave money on the table.”

Of the several serious “from login prompt” security vulnerabilities I found I was obviously not a neo-con or Capitalist… Because I told those who could –and did– fix it.

ResearcherZero October 16, 2025 1:07 AM

@Clive

It is not a zero day it is a feature and that is the way the product was designed to work.

Gilbert October 16, 2025 4:19 AM

We have seen, several times, companies claim they offer bounties. And when you submit to them a zero day, they explain to you that you cannot be paid that amount, either nothing or a small amount because the security issue is not a “big one” from their point of view.

When you sell that very same 0-day to criminal organizations OR states like China or Russia, they pay without any issue the agreed amount.

Sorry Apple, but no. Kaspersky did found serious security issues and Apple refused to pay them. In 2024 a security researcher found out that Apple refused to pay them the 50 000 $ of bounty and they silently patched the issue without even telling their users (https://medium.com/@just4g3nt/how-apple-scammed-me-out-of-50-000-in-their-bug-bounty-program-silent-patching-ignoring-me-18455a47a1f6)

Another story from 2021 : https://medium.com/@just4g3nt/how-apple-scammed-me-out-of-50-000-in-their-bug-bounty-program-silent-patching-ignoring-me-18455a47a1f6

Apple is known and has mutliple times refused to pay bounties where people had either 0-days or security issues that ticked all the critera they publish for their bounties.

If today you believe Apple will pay you, knowing for how many years they have refused to pay researchers and silently patched the issues, knowing that all those examples and stories are available on Internet, you are nothing but a fool.

If you have an exploit against anything Apple or a 0-day, the only way to be paid properly and be sure to be paid is to sell it to China.

iPhones are the most insecure phones on the market currently : since they all use the same software version, any security hole can be applied to the whole bunch of their models. Android on the other hand is so much fractured with so many versions of Android on so many different phone models that when you find a security hole it only applies to a small subset of phones.

Funny heh ? Apple by moving all their supported models to the latest and very same iOS software makes their whole phones easier to attack because the hole is then found on all the supported models at the same time.

Clive Robinson October 16, 2025 7:49 AM

@ Gilbert, ALL,

With regards,

“Funny heh ? Apple by moving all their supported models to the latest and very same iOS software makes their whole phones easier to attack because the hole is then found on all the supported models at the same time.”

It’s the opposite of “Heterosis”(Hybrid Vigor) and in the natural world evolution ensures it becomes an existential direction for a species to go in[1].

In effect it blocks the desirable benefits of “natural selection”.

One obvious result is that all members have identical strengths and weaknesses. This make the life of a predator very much easier, and they focus on the weaknesses to the exclusion of variety. The fun side of this is it also causes the predators a potential existential fate as well[2].

So it’s actually possible both Apple and those that crack their products, will both become in effect extinct…

These “technology -v- Nature” issues where technologists do not learn from 4billion years of natural evolution is something that is of interest to me as I see more and more of it occuring due to the likes of,

1, Copy-Cat marketing.
2, Excessive marketing feature requirements.
3, Excessive technology reuse.
4, Failure to remove technical deficit and defects.
5, Failure to sufficiently test.
6, overly rapid release tempo.

And several more all caused by neo-con style management being overly prevalent in the technology industries.

[1] Homozygosity across nearly a whole genus genome is the result of “consanguinity”(blood relative) “inbreeding”. Which we know from “closed stud book breeding” in the likes of live stock, pets, and human aristocracy causes heritable genetic disorders that become more and more pronounced with each generation and it’s called “inbreeding depression”.
Historically an example of this is from the Austro-Spanish Aristocracy, of the development of the Habsburg or Austrian lip, that later became the Habsburg Jaw. Whilst this was easily visible less so was the increasing madness, imbecility, and sterility. For well over a millennium in Europe such “blood relative marriage” was considered not just normal but desirable (for political reasons). The number of “Royal diseases” that came of it is actually quite shocking.

[2] Because if the predator evolves to attack only those weaknesses of that one target prey type, whilst it offers initial advantages, over time as the prey becomes scarce the predators also die back and can likewise become extinct. The oft quoted example is the “Sabertooth Tiger” (although it’s not correct to do so).

Commenter October 16, 2025 12:28 PM

@Gilbert

From your comment:

Sorry Apple, but no. Kaspersky did found serious security issues and Apple refused to pay them. In 2024 a security researcher found out that Apple refused to pay them the 50 000 $ of bounty and they silently patched the issue without even telling their users (https://medium.com/@just4g3nt/how-apple-scammed-me-out-of-50-000-in-their-bug-bounty-program-silent-patching-ignoring-me-18455a47a1f6)

Another story from 2021 : https://medium.com/@just4g3nt/how-apple-scammed-me-out-of-50-000-in-their-bug-bounty-program-silent-patching-ignoring-me-18455a47a1f6

These are the same URL to a story that appears to have been originally published in 2021, but updated in 2024.

Is there another URL you meant to share?

Leave a comment

Blog moderation policy

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.