Apple announces $2M bug bounty for security exploits

By Phong Ngo October 13, 2025 | 04:47 am PT

Apple will offer a top reward of up to US$2 million to researchers who uncover software exploit chains that could be used for spyware attacks, said Ivan Krstic, Apple’s vice president of security engineering and architecture.

Unveiling the new bug bounty payout structure at the Hexacon offensive security conference in Paris on October 10, Krstić said total rewards could surpass $5 million with extra bonuses for discovering Lockdown Mode bypasses or vulnerabilities in beta software.

"We are lining up to pay many millions of dollars here, and there’s a reason," Krstic told Wired. "We want to make sure that for the hardest categories, the hardest problems, the things that most closely mirror the kinds of attacks that we see with mercenary spyware—that the researchers who have those skills and abilities and put in that effort and time can get a tremendous reward."

An Apple Store in Wuhan, China, in April 2024. Photo by VnExpress/Luu Quy

As part of the revamp, Apple is introducing "Target Flags," which let researchers capture proof of the access level gained, such as code execution or read/write, allowing quicker verification and payments before software fixes.

The overhaul, which takes effect in November 2025, also expands vulnerability categories, introduces new validation tools, and increases incentives for tackling sophisticated exploit techniques, Cyber Insider reported.

Apple said the updates are designed to reflect the growing complexity and cost of real-world exploit chains, particularly those linked to spyware vendors and state-level attackers. Since the Security Bounty program launched in 2020, Apple has paid more than $35 million to over 800 researchers, with some individual rewards reaching $500,000.

However, the company noted that its more advanced security architecture has made successful exploits increasingly difficult, prompting higher rewards to maintain researcher participation.